Hanging RRDP request

Vulnerability

In NLnet Labs Routinator prior to version 0.10.2, the RRDP connection timeout was applied only to individual read or write operations rather than the complete HTTP request [1]. This allows a malicious RRDP repository to keep the connection alive by sending small amounts of data before each per-operation timeout expires, thereby extending the overall request duration indefinitely [1]. Affected versions are Routinator up to and including 0.10.1 [1].

Exploitation

An attacker controlling an RRDP repository can exploit this by establishing a connection with Routinator and then slowly sending data in small chunks, ensuring each chunk arrives before the per-read/write timeout [1]. The attacker does not need authentication or elevated network position because RRDP repositories are typically specified by RPKI certificate authorities in the global RPKI ecosystem [1]. The only requirement is that Routinator attempts to fetch data from the malicious repository during a validation run [1].

Impact

Successful exploitation delays the validation run indefinitely because Routinator waits for the RRDP update to complete before proceeding [1]. This causes Routinator to continue serving the old (potentially stale) RPKI data set, or, if the attack occurs during the initial validation run after startup, to never serve any data at all [1]. The confidentiality, integrity, and availability of RP reliance on valid RPKI data are degraded as a result [1].

Mitigation

The vulnerability is fixed in Routinator version 0.10.2 [1]. Users should upgrade to 0.10.2 or later. As a workaround, operators can configure a stricter overall HTTP timeout at the network level (e.g., using a reverse proxy or firewall) to enforce a maximum connection duration, but no application-level workaround is provided in the advisory [1]. Routinator is not listed on the CISA KEV catalog as of this writing.