Haya Shulman

**Name of the Vulnerable Software and Affected Versions** Routinator versions 0.9.0 through 0.12.1 **Description** The issue concerns a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature of Routinator. This feature allows users to store the content of responses received for RRDP requests. The location of these stored responses is constructed from the URL of the request. Due to insufficient sanitation of the URL, it is possible for an attacker to craft a URL that results in the response being stored outside of the directory specified for it. **Recommendations** For Routinator versions 0.9.0 through 0.12.1, consider disabling the keep-rrdp-responses feature until a patch is available to prevent potential path traversal attacks. Restrict access to the directory where responses are stored to minimize the risk of exploitation. Avoid using the keep-rrdp-responses feature with untrusted RRDP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Routinator versions up to and including 0.12.1 **Description** The issue is caused by insufficient input checking in the bcder library, which may lead to a crash when trying to parse certain malformed RPKI objects. **Recommendations** For versions up to and including 0.12.1, update to a version that includes the fix for the insufficient input checking in the bcder library to prevent crashes when parsing malformed RPKI objects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs' bcder library versions 0.7.2 and earlier **Description** The bcder library panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding. **Recommendations** For versions 0.7.2 and earlier, update to version 0.7.3 or later, which fixes the issue by more thoroughly checking inputs and returning errors as expected. As a temporary workaround, consider implementing additional input validation to prevent the library from panicking when encountering invalid data.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Routinator versions 0.9.0 through 0.11.2 **Description** The issue arises from a mistake in error handling, where data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error, causing Routinator to exit. This can lead to a denial of service for the RPKI data that Routinator provides to routers, potentially stopping networks from validating route origins based on RPKI data. However, this issue does not allow an attacker to manipulate RPKI data. **Recommendations** For NLnet Labs Routinator versions 0.9.0 through 0.11.2, consider updating to a version where this error handling issue is fixed, as the current version can cause Routinator to exit due to incorrectly base 64 encoded data in RRDP files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dproxy-nexgen (affected versions not specified) **Description** The issue arises from the misinterpretation of special domain name characters in dproxy-nexgen, leading to cache poisoning. This occurs because domain names and their associated IP addresses are cached in their misinterpreted form. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dproxy-nexgen (affected versions not specified) **Description** The issue allows attackers to conduct DNS cache-poisoning attacks because the DNS transaction id (TXID) value from client queries is re-used. This enables attackers, who can send queries to the resolver, to exploit the known TXID value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dproxy-nexgen (affected versions not specified) **Description** The issue allows DNS cache poisoning due to the use of a static UDP source port with insufficient entropy to prevent traffic injection attacks. This occurs because dproxy-nexgen selects the UDP source port randomly only at boot time in upstream queries sent to DNS resolvers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dproxy-nexgen (affected versions not specified) **Description** The issue concerns dproxy-nexgen forwarding and caching DNS queries with the CD bit set to 1, which leads to the disabling of DNSSEC protection provided by upstream resolvers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DNRD (aka Domain Name Relay Daemon) version 2.20.3 **Description** The issue concerns the forwarding and caching of DNS queries with the CD bit set to 1, which results in the disabling of DNSSEC protection provided by upstream resolvers. This affects the security of DNS queries. **Recommendations** For DNRD version 2.20.3, consider disabling the caching of DNS queries with the CD bit set to 1 until a patch is available. Restrict access to the DNS query forwarding feature to minimize the risk of exploitation. Avoid using the CD bit in DNS queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DNRD (aka Domain Name Relay Daemon) version 2.20.3 **Description** The issue arises from the misinterpretation of special domain name characters, leading to cache poisoning. This occurs because domain names and their associated IP addresses are cached in their misinterpreted form. **Recommendations** For DNRD (aka Domain Name Relay Daemon) version 2.20.3, consider disabling the caching functionality until a patch is available to prevent cache poisoning. Restrict access to the domain name resolution service to minimize the risk of exploitation. Avoid using special domain name characters in the affected DNRD version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** totd version 1.5.3 **Description** The issue allows DNS cache poisoning due to the use of a fixed UDP source port in upstream queries sent to DNS resolvers, resulting in insufficient entropy to prevent traffic injection attacks. **Recommendations** For totd version 1.5.3, consider implementing a random UDP source port for upstream queries to DNS resolvers to prevent traffic injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uClibc versions prior to 1.0.39 uClibc-ng versions prior to 1.0.39 **Description** The issue is related to insufficient input validation in the uClibc and uClibc-ng libraries, which can be exploited by a remote attacker to execute arbitrary code. The problem lies in the incorrect handling of special characters in domain names returned by DNS servers via functions such as `gethostbyname`, `getaddrinfo`, `gethostbyaddr`, and `getnameinfo`. This can lead to the output of wrong hostnames, resulting in domain hijacking, or the injection of malicious data into applications, potentially causing remote code execution, cross-site scripting (XSS), application crashes, and other issues. **Recommendations** For uClibc versions prior to 1.0.39, update to version 1.0.39 or later to resolve the issue. For uClibc-ng versions prior to 1.0.39, update to version 1.0.39 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `gethostbyname`, `getaddrinfo`, `gethostbyaddr`, and `getnameinfo` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenWrt versions prior to 19.07.8 **Description** The issue is related to missing input validation of host names displayed in OpenWrt, which allows for XSS attacks on the Connection Status page of the luci web-interface. This can be exploited to gain full control over the affected system via ICMP. The vulnerability is associated with a lack of protection measures for the web page structure, enabling a remote attacker to conduct an inter-site scripting attack. **Recommendations** For OpenWrt versions prior to 19.07.8, update to version 19.07.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Connection Status page of the luci web-interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** radsecproxy (affected versions not specified) **Description** The issue is related to missing input validation in radsecproxy's `naptr-eduroam.sh` and `radsec-dynsrv.sh` scripts, which can lead to configuration injection via crafted radsec peer discovery DNS records. This can result in information disclosure, denial of service, and redirection of the Radius connection to a non-authenticated server, leading to non-authenticated network access. **Recommendations** To resolve the issue, update the example scripts to the versions available in the master branch or 1.9 release. Note that these scripts are not part of the installation package and must be updated manually. The updated scripts can be used with any version of radsecproxy. As a temporary workaround, consider restricting the use of the vulnerable scripts until the updated versions are applied.

**Name of the Vulnerable Software and Affected Versions** Go versions 1.15.x before 1.15.13 Go versions 1.16.x before 1.16.5 **Description** The issue is related to the DNS lookup functions in the Go programming language, which do not properly validate replies from DNS servers. This can lead to the return of unsafe injections, such as XSS, that do not conform to the RFC1035 format. The vulnerability allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The affected functions include LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr, which may return arbitrary values retrieved from DNS that do not follow established rules for domain names. If these names are used without further sanitization, they may allow for injection of unexpected content. **Recommendations** For Go versions 1.15.x before 1.15.13, update to version 1.15.13 or later to resolve the issue. For Go versions 1.16.x before 1.16.5, update to version 1.16.5 or later to resolve the issue. As a temporary workaround, consider sanitizing the output of the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions to prevent injection of unexpected content.