Skip to main content

CVE-2022-24798: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer in irrdnet irrd

Medium
Published: Thu Mar 31 2022 (03/31/2022, 23:05:11 UTC)
Source: CVE
Vendor/Project: irrdnet
Product: irrd

Description

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

AI-Powered Analysis

AILast updated: 06/23/2025, 11:35:51 UTC

Technical Analysis

CVE-2022-24798 is a vulnerability affecting the Internet Routing Registry daemon (IRRd) version 4, specifically versions 4.2.0 up to but not including 4.2.3. IRRd is a server software that manages Internet Routing Registry (IRR) databases, which store routing policy objects in the Routing Policy Specification Language (RPSL) format. These IRR databases are critical infrastructure components used by network operators to publish and share routing policies and maintain accurate routing information. The vulnerability arises from improper removal of sensitive information before storage or transfer (CWE-212). Specifically, IRRd did not consistently filter out password hashes in query responses related to 'mntner' objects (maintainer objects that include authentication credentials) and during database exports. As a result, an attacker able to query an authoritative IRRd instance could retrieve password hashes. These hashes could then be subjected to offline brute-force attacks to recover the clear-text passphrases. With the recovered credentials, an adversary could make unauthorized modifications to IRR objects, potentially altering routing policies or injecting malicious routing information. This vulnerability only affects IRRd instances that serve authoritative databases and process password hashes; mirror-only instances are not impacted. The issue was fixed in IRRd version 4.2.3 and the main development branch. Versions in the 4.1.x series were never affected. There are no known workarounds, so upgrading to 4.2.3 or later is strongly recommended. No known exploits have been observed in the wild to date. The vulnerability impacts the confidentiality and integrity of IRR data and could indirectly affect network availability if routing policies are maliciously altered.

Potential Impact

For European organizations, particularly Internet Service Providers (ISPs), network operators, and Internet Exchange Points (IXPs) that rely on IRRd authoritative instances to manage routing policies, this vulnerability poses a significant risk. Unauthorized access to maintainer credentials could allow attackers to modify routing objects, potentially leading to route hijacking, traffic interception, or denial of service through incorrect routing announcements. Such disruptions could affect critical infrastructure, financial institutions, government networks, and large enterprises dependent on stable and secure Internet routing. The impact on confidentiality arises from exposure of password hashes, while integrity is compromised by the possibility of unauthorized changes to IRR objects. Availability could be indirectly affected if routing disruptions occur. Given the central role of IRR in Internet routing security, exploitation could have cascading effects on network trust and stability across European networks. However, the vulnerability requires access to authoritative IRRd instances, which may limit the scope to organizations operating these servers. Mirror-only IRRd instances, commonly used for read-only purposes, are not affected, somewhat reducing the overall exposure.

Mitigation Recommendations

The primary and only effective mitigation is to upgrade all affected IRRd authoritative instances to version 4.2.3 or later, where the vulnerability has been fixed. Organizations should audit their IRRd deployments to identify any instances running versions >=4.2.0 and <4.2.3 and prioritize patching. Since no workarounds exist, patch management is critical. Additionally, organizations should review access controls to IRRd query interfaces to restrict queries to trusted users and networks, minimizing the risk of unauthorized hash retrieval. Monitoring and logging of IRRd queries can help detect unusual access patterns indicative of reconnaissance or exploitation attempts. Network operators should also verify the integrity of their IRR objects post-patch to ensure no unauthorized changes have occurred. Employing strong, complex passwords for maintainer objects reduces the risk of successful brute-force attacks on any exposed hashes. Finally, organizations should consider implementing additional routing security measures such as Resource Public Key Infrastructure (RPKI) validation and BGP Origin Validation to mitigate the impact of potential IRR data tampering.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2022-02-10T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9843c4522896dcbf2bc5

Added to database: 5/21/2025, 9:09:23 AM

Last enriched: 6/23/2025, 11:35:51 AM

Last updated: 8/12/2025, 8:47:58 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats