Invalid RPKI data could disable Route Origin Validation on RTR clients.

Vulnerability

In Routinator versions prior to 0.10.0, the software does not validate the max-length parameter in a ROA generated by an RPKI CA. According to [1], Routinator will simply pass through any max-length value provided in the ROA. However, a max-length value must never be larger than the maximum prefix length of the address family (32 for IPv4, 128 for IPv6). If a CA uses an excessively large value, Routinator produces an invalid RTR payload. All versions up to and including 0.9.0 are affected [1].

Exploitation

An attacker who controls or compromises an RPKI CA can craft a ROA with an oversized max-length parameter. No authentication or special network position is required beyond the ability to publish such a ROA. When Routinator processes the malformed ROA, it generates an invalid RTR payload without error checking [1]. The invalid payload is then sent to RTR clients (e.g., routers). The attack does not require user interaction; it occurs automatically during the standard RTR update cycle.

Impact

RTR clients that receive the invalid payload will reject the entire RPKI data set [1]. This effectively disables Route Origin Validation (ROV) on those clients, meaning they will no longer validate BGP route origins based on RPKI. No confidentiality or integrity impact is described; the primary impact is availability of the ROV security function.

Mitigation

Upgrade to Routinator 0.10.0 or later, which includes validation of the max-length parameter [1]. The fixed version was released on the same date as the advisory (2021-09-21). No workaround is documented for unpatched versions; administrators should apply the update as soon as possible.