-------------------------------------------------------------------------
Debian LTS Advisory DLA-4066-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
February 24, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : fort-validator
Version : 1.5.3-1~deb11u2
CVE ID : CVE-2024-45234 CVE-2024-45235 CVE-2024-45236 CVE-2024-45237
CVE-2024-45238 CVE-2024-45239 CVE-2024-48943
Multiple vulnerabilities have been discovered in fort-validator, a RPKI
validator and RTR server.
CVE-2024-45234
A malicious RPKI repository that descends from a (trusted) Trust
Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing
a signedAttrs encoded in non-canonical form. This bypasses Fort's
BER decoder, reaching a point in the code that panics when faced
with data not encoded in DER. Because Fort is an RPKI Relying Party,
a panic can lead to Route Origin Validation unavailability, which
can lead to compromised routing.
CVE-2024-45235
A malicious RPKI repository that descends from a (trusted) Trust
Anchor can serve (via rsync or RRDP) a resource certificate
containing an Authority Key Identifier extension that lacks the
keyIdentifier field. Fort references this pointer without sanitizing
it first. Because Fort is an RPKI Relying Party, a crash can lead to
Route Origin Validation unavailability, which can lead to
compromised routing.
CVE-2024-45236
A malicious RPKI repository that descends from a (trusted) Trust
Anchor can serve (via rsync or RRDP) a signed object containing an
empty signedAttributes field. Fort accesses the set's elements
without sanitizing it first. Because Fort is an RPKI Relying Party,
a crash can lead to Route Origin Validation unavailability, which
can lead to compromised routing.
CVE-2024-45237
A malicious RPKI repository that descends from a (trusted) Trust
Anchor can serve (via rsync or RRDP) a resource certificate
containing a Key Usage extension composed of more than two bytes of
data. Fort writes this string into a 2-byte buffer without properly
sanitizing its length, leading to a buffer overflow.
CVE-2024-45238
A malicious RPKI repository that descends from a (trusted) Trust
Anchor can serve (via rsync or RRDP) a resource certificate
containing a bit string that doesn't properly decode into a Subject
Public Key. OpenSSL does not report this problem during parsing, and
when compiled with OpenSSL libcrypto versions below 3, Fort
recklessly dereferences the pointer. Because Fort is an RPKI Relying
Party, a crash can lead to Route Origin Validation unavailability,
which can lead to compromised routing.
CVE-2024-45239
A malicious RPKI repository that descends from a (trusted) Trust
Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing
a null eContent field. Fort dereferences the pointer without
sanitizing it first. Because Fort is an RPKI Relying Party, a crash
can lead to Route Origin Validation unavailability, which can lead
to compromised routing.
CVE-2024-48943
A malicious RPKI rsync repository can prevent Fort from finishing
its validation run by drip-feeding its content. The delayed
validation can lead to stale or unavailable Route Origin Validation.
For Debian 11 bullseye, these problems have been fixed in version
1.5.3-1~deb11u2.
We recommend that you upgrade your fort-validator packages.
For the detailed security status of fort-validator please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fort-validator
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS