CVE-2024-45238

Name of the Vulnerable Software and Affected Versions Fort versions prior to 1.6.3

Description An issue was discovered in Fort where a malicious RPKI repository that descends from a trusted Trust Anchor can serve a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.

Recommendations For versions prior to 1.6.3, upgrade to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPKI repository to minimize the risk of exploitation. Avoid using the rsync or RRDP protocols with untrusted repositories until the issue is resolved.