CVE-2020-16163

Name of the Vulnerable Software and Affected Versions RIPE NCC RPKI Validator versions 3.x before 3.1-2020.07.06.14.28

Description An issue was discovered in the RIPE NCC RPKI Validator where RRDP fetches proceed even with a lack of validation of a TLS HTTPS endpoint. This allows remote attackers to bypass intended access restrictions, or to trigger denial of service to traffic directed to co-dependent routing systems. It is noted that third parties assert the behavior is intentionally permitted by RFC 8182.

Recommendations For versions 3.x before 3.1-2020.07.06.14.28, consider updating to version 3.1-2020.07.06.14.28 or later to resolve the issue. As a temporary workaround, consider restricting access to the RRDP fetch functionality until a patch is available.