CVE-2024-45236

Name of the Vulnerable Software and Affected Versions Fort versions prior to 1.6.3

Description An issue was discovered in Fort where a malicious RPKI repository that descends from a trusted Trust Anchor can serve a signed object containing an empty signedAttributes field via rsync or RRDP. Fort accesses the set's elements without sanitizing it first, which can lead to a crash and Route Origin Validation unavailability, resulting in compromised routing.

Recommendations For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPKI repository to minimize the risk of exploitation.