CVE-2021-43172 : Vulnerability Insights and Analysis
CVE-2021-43172 allows a malicious CA to create an infinite length chain of CAs in Routinator, leading to denial of service. Learn about the impact, affected systems, and mitigation steps.
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run, allowing for an uncontrolled recursion vulnerability.
Understanding CVE-2021-43172
This CVE describes a vulnerability in Routinator that can be exploited by a malicious CA to create a chain of CAs with infinite length, leading to denial of service.
What is CVE-2021-43172?
CVE-2021-43172 is a vulnerability in NLnet Labs Routinator prior to version 0.10.2 that allows a malicious certification authority (CA) to create a chain of CAs with an infinite length. This results in a denial-of-service condition where the validation run never finishes.
The Impact of CVE-2021-43172
The vulnerability allows an attacker to continuously generate child CAs with different RRDP repositories, causing Routinator to process the chain indefinitely. This results in Routinator serving outdated data or no data at all, impacting the RPKI validation process.
Technical Details of CVE-2021-43172
This section provides insight into the vulnerability specifics.
Vulnerability Description
Routinator prior to version 0.10.2 lacks a limit on the length of RRDP repository chains created by a malicious CA, leading to an infinite loop and denial of service.
Affected Systems and Versions
- Product: Routinator
- Vendor: NLnet Labs
- Versions Affected: <= 0.10.1
Exploitation Mechanism
- An attacker creates a chain of CAs with different RRDP repositories.
- Routinator processes this chain endlessly, causing a denial-of-service condition.
Mitigation and Prevention
Protecting systems from CVE-2021-43172 requires immediate action and long-term security measures.
Immediate Steps to Take
- Update Routinator to version 0.10.2 or newer to mitigate the vulnerability.
- Monitor for any suspicious activity or unexpected behavior in the RPKI validation process.
Long-Term Security Practices
- Implement strict validation checks on RRDP repository chains.
- Conduct regular security audits to identify and address vulnerabilities proactively.
Patching and Updates
- Regularly update Routinator to the latest version to ensure protection against known vulnerabilities.