In the world of cybersecurity, researchers are always on the lookout for vulnerabilities that can be taken advantage of by malicious actors. One such recent discovery is the CVE-2022-3616 vulnerability, which has the potential to disrupt critical internet infrastructure through denial of service attacks. The credit for finding this vulnerability goes to Donika Mirdita and Haya Shulman of Fraunhofer SIT, ATHENE.
The Vulnerability: CVE-2022-3616
The CVE-2022-3616 vulnerability lies in OctoRPKI, a widely used software that authenticates routing paths for internet traffic, ensuring stability and security of the internet's routing infrastructure. OctoRPKI uses a Resource Public Key Infrastructure (RPKI) to validate that the traffic routing information received by routers is legitimate and matches the authorized holders of IP address blocks.
The vulnerability arises when an attacker creates an exceedingly long chain of Certificate Authorities (CAs) that lead to OctoRPKI exceeding its "max iterations" parameter. This results in the program crashing, preventing it from completing the validation process and leading to a denial of service.
The Attack
To understand the process that an attacker would use to exploit this vulnerability, let's take a look at a code snippet demonstrating how a long chain of CAs can be created:
def create_long_chain_of_cas(ca_length):
root_ca = generate_root_ca()
current_ca = root_ca
for i in range(1, ca_length):
new_ca = generate_intermediate_ca(current_ca)
current_ca = new_ca
return root_ca, current_ca
def generate_root_ca():
# Code for generating root CA
def generate_intermediate_ca(parent_ca):
# Code for generating intermediate CA using parent CA
root_ca, last_ca = create_long_chain_of_cas(10001)
In this example, an attacker would use the create_long_chain_of_cas() function to create a chain with 10,001 CAs. The resulting chain would exceed OctoRPKI's max iterations parameter, causing the program to crash.
Exploit Details
When OctoRPKI encounters the long chain of CAs, it first attempts to validate the chain by traversing each CA up to the root CA. The process involves checking certificate signatures, expiration dates, and other validation aspects.
However, once the program exceeds the max iterations parameter, it crashes, resulting in a denial of service. The attacker can publish the rogue chain of CAs and force any router using OctoRPKI to cease functioning, effectively disrupting internet traffic routing and causing network instability.
Original References
The discoverers of the CVE-2022-3616 vulnerability, Donika Mirdita, and Haya Shulman, have provided comprehensive details about the vulnerability and possible mitigation techniques in their research paper:
- Long Chains in RPKI: Denial of Service Vulnerability (PDF)
Additionally, you can find more information about OctoRPKI and the vulnerability on the following resources:
- OctoRPKI GitHub Repository
- CVE-2022-3616 Details on NIST National Vulnerability Database
Conclusion
The discovery of the CVE-2022-3616 vulnerability in OctoRPKI is a testament to the importance of constant vigilance and research in the field of cybersecurity. The findings by Donika Mirdita and Haya Shulman have shed light on a crucial area of potential exploitation by malicious actors. Now that the vulnerability has been identified, it is crucial to implement mitigation measures to protect internet infrastructure from potential denial of service attacks. Organizations and providers that rely on OctoRPKI should be aware of this vulnerability and take necessary steps to secure their systems.
Timeline
Published on: 10/28/2022 07:15:00 UTC
Last modified on: 03/29/2023 09:15:00 UTC