CVE-2020-16163 : Security Advisory and Response

An issue was discovered in RIPE NCC RPKI Validator 3.x before 3.1-2020.07.06.14.28. RRDP fetches proceed even with a lack of validation of a TLS HTTPS endpoint, potentially allowing remote attackers to bypass access restrictions or trigger denial of service.

Understanding CVE-2020-16163

This CVE involves a vulnerability in the RIPE NCC RPKI Validator 3.x that could lead to security issues.

What is CVE-2020-16163?

The vulnerability allows for RRDP fetches to continue without proper validation of a TLS HTTPS endpoint, enabling attackers to circumvent access controls or disrupt traffic to routing systems.

The Impact of CVE-2020-16163

Remote attackers can bypass intended access restrictions
Possibility of triggering denial of service to co-dependent routing systems
Disputed behavior as per RFC 8182

Technical Details of CVE-2020-16163

This section provides more in-depth technical insights into the CVE.

Vulnerability Description

The issue in RIPE NCC RPKI Validator 3.x allows RRDP fetches to proceed without validating TLS HTTPS endpoints, creating a security loophole.

Affected Systems and Versions

Product: RIPE NCC RPKI Validator 3.x
Vendor: RIPE NCC
Versions affected: Before 3.1-2020.07.06.14.28

Exploitation Mechanism

Attackers can exploit this vulnerability by manipulating RRDP fetches to evade TLS HTTPS endpoint validation.

Mitigation and Prevention

Protect your systems from CVE-2020-16163 with these mitigation strategies.

Immediate Steps to Take

Update RIPE NCC RPKI Validator to version 3.1-2020.07.06.14.28 or later
Implement strict access controls and monitoring mechanisms

Long-Term Security Practices

Regularly review and update security configurations
Conduct security assessments and audits periodically

Patching and Updates

Apply security patches promptly
Stay informed about security advisories and updates