CVE-2020-16164
Vulnerability in RPKI manifest validation
Description
A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID. To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform a man in the middle attack against a rsync-only repository. The update addresses the vulnerability by implementing validation methods from [RFC 6486bis](https://datatracker.ietf.org/doc/draft-ietf-sidrops-6486bis/00/) and enabling strict validation by default.
How to fix CVE-2020-16164
To remediate CVE-2020-16164, upgrade the affected package to a fixed version below.
- —upgrade to 3.2-2020.10.28.23.06 or later
Is CVE-2020-16164 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.2-2020.10.28.23.06