CVE-2020-16164 — Vulnerability in RPKI manifest validation

描述

A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID. To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform a man in the middle attack against a rsync-only repository. The update addresses the vulnerability by implementing validation methods from [RFC 6486bis](https://datatracker.ietf.org/doc/draft-ietf-sidrops-6486bis/00/) and enabling strict validation by default.

如何修補 CVE-2020-16164

要修補 CVE-2020-16164,請將受影響套件升級到下列已修補版本。

—升級至 3.2-2020.10.28.23.06 或更新版本

CVE-2020-16164 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 3.2-2020.10.28.23.06

參考連結(1)

WEBgithub.com/RIPE-NCC/rpki-validator-3/security/advisories/GHSA-q76j-58cx-wp5v