CVE-2021-43172

Name of the Vulnerable Software and Affected Versions NLnet Labs Routinator versions prior to 0.10.2

Description The issue concerns NLnet Labs Routinator, where a malicious CA can create a chain of CAs of de-facto infinite length by continuously generating a new child CA that only consists of another CA using a different RRDP repository. This causes Routinator to never finish a validation run, leading to it continuing to serve the old data set or never serve any data at all. Additionally, the gzip transfer encoding can be used by an RRDP repository to cause an out-of-memory crash in affected versions of Routinator. Furthermore, an RRDP repository can delay a validation run significantly by not answering but slowly drip-feeding bytes to keep the connection alive, effectively stalling validation.

Recommendations For NLnet Labs Routinator versions prior to 0.10.2, update to version 0.10.2 or later to resolve the issue. As a temporary workaround, consider restricting the length of RRDP repository chains and implementing measures to prevent out-of-memory crashes due to gzip transfer encoding. Additionally, configure the time-out value for RRDP connections to apply to the complete request, rather than individual read or write operations, to prevent validation stalling.