Crashes on parsing certain invalid RPKI objects

Vulnerability

Routinator up to and including version 0.12.1 may crash when attempting to parse certain malformed RPKI objects. The crash arises from insufficient input data checking in the bcder decoding library, as described in the advisory [1]. This issue is distinct from CVE-2023-39914, which covers the underlying library flaw [1].

Exploitation

An attacker can craft a specially malformed RPKI object and deliver it to a Routinator instance that fetches and decodes RPKI data. No additional authentication or special network position is required beyond the ability to supply the malicious object (e.g., via an RPKI repository the Routinator is configured to trust). When Routinator attempts to decode the object using the vulnerable bcder library, the insufficient input checking triggers a condition that causes the application to crash [1].

Impact

Successful exploitation causes a denial of service by crashing the Routinator process. This disrupts RPKI validation until the service is restarted. The confidentiality and integrity of the system are not directly compromised, but availability is affected [1].

Mitigation

The vulnerability is fixed in Routinator version 0.12.2, which depends on a corrected version of the bcder library [1]. Users should upgrade to 0.12.2 or later. No workarounds are provided in the advisory. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.