NCSC publishes security advisory around vulnerabilities in RPKI validation software (update)
The NCSC coordinates a multi-party CVD process around vulnerabilities in RPKI validation software. This process requires broad, multiple coordination with many international parties. The NCSC was approached earlier this year by researchers who found the vulnerabilities with the request to assist them in this multi-party process. Following the request, the NCSC has informed various parties of the existence of these vulnerabilities. The NCSC worked together with the involved parties to find a suitable date on which the updates could be made available.
On Tuesday 9 November, the NCSC issued a security advisory (NCSC-2021-0987) about these vulnerabilities. The advisory also includes the solutions of the various developers of validation software. The suggested solutions from the developers can be found at the bottom of this post.
The NCSC will contribute the experiences of this process to the ongoing discussion about multi-party disclosure in order to continue to improve and contribute to national and international digital security.
Overview solutions developers:
Cloudflare
Cloudflare has released updates to OctoRPKI to address the vulnerabilities. For more information, see link.
FORT
The developers of FORT Validator have released updates to fix the vulnerabilities. For more information, see link.
NLnet Labs
NLnet Labs has released updates for Routinator to fix the vulnerabilities. For more information, see link.
OpenBSD
OpenBSD developers have released updates to address vulnerabilities in rpki client 7.5. For more information, see link (OpenBSD Errata), link (rpki client 7.5)
RIPE NCC
RIPE NCC has indicated that RPKI Validator 3 is no longer supported since July 1, 2021 and will no longer receive (security) updates. For more information about RPKI Validator 3, see link
rpki-prover
The developers of rpki-prover have released updates to address the vulnerabilities. For more information, see link