CVE-2021-41531
Invalid RPKI data could disable Route Origin Validation on RTR clients.
In short
Routinator can send invalid data to routers when RPKI certificates have very large values, causing routers to reject all RPKI validation rules and stop protecting against route hijacking.
Technical detail
When a RPKI CA specifies oversized max-length parameters in ROAs, Routinator prior to 0.10.0 generates malformed RTR payloads that RTR clients reject entirely, disabling Route Origin Validation (ROV) and leaving networks vulnerable to invalid route advertisements.
Summary generated and translated by AI from the official description.
NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation.
Affected products
NLnet Labs · RoutinatorWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →