CVE-2024-45239

Name of the Vulnerable Software and Affected Versions Fort versions prior to 1.6.3

Description An issue was discovered in Fort where a malicious RPKI repository that descends from a trusted Trust Anchor can serve an ROA or a Manifest containing a null eContent field via rsync or RRDP. Fort dereferences the pointer without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.

Recommendations For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the RPKI repository to minimize the risk of exploitation. Avoid using the eContent field in the affected ROA or Manifest until the issue is resolved.