CVE-2022-24798: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer in irrdnet irrd
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.
AI Analysis
Technical Summary
CVE-2022-24798 is a vulnerability affecting the Internet Routing Registry daemon (IRRd) version 4, specifically versions 4.2.0 up to but not including 4.2.3. IRRd is a server software that manages Internet Routing Registry (IRR) databases, which store routing policy objects in the Routing Policy Specification Language (RPSL) format. These IRR databases are critical infrastructure components used by network operators to publish and share routing policies and maintain accurate routing information. The vulnerability arises from improper removal of sensitive information before storage or transfer (CWE-212). Specifically, IRRd did not consistently filter out password hashes in query responses related to 'mntner' objects (maintainer objects that include authentication credentials) and during database exports. As a result, an attacker able to query an authoritative IRRd instance could retrieve password hashes. These hashes could then be subjected to offline brute-force attacks to recover the clear-text passphrases. With the recovered credentials, an adversary could make unauthorized modifications to IRR objects, potentially altering routing policies or injecting malicious routing information. This vulnerability only affects IRRd instances that serve authoritative databases and process password hashes; mirror-only instances are not impacted. The issue was fixed in IRRd version 4.2.3 and the main development branch. Versions in the 4.1.x series were never affected. There are no known workarounds, so upgrading to 4.2.3 or later is strongly recommended. No known exploits have been observed in the wild to date. The vulnerability impacts the confidentiality and integrity of IRR data and could indirectly affect network availability if routing policies are maliciously altered.
Potential Impact
For European organizations, particularly Internet Service Providers (ISPs), network operators, and Internet Exchange Points (IXPs) that rely on IRRd authoritative instances to manage routing policies, this vulnerability poses a significant risk. Unauthorized access to maintainer credentials could allow attackers to modify routing objects, potentially leading to route hijacking, traffic interception, or denial of service through incorrect routing announcements. Such disruptions could affect critical infrastructure, financial institutions, government networks, and large enterprises dependent on stable and secure Internet routing. The impact on confidentiality arises from exposure of password hashes, while integrity is compromised by the possibility of unauthorized changes to IRR objects. Availability could be indirectly affected if routing disruptions occur. Given the central role of IRR in Internet routing security, exploitation could have cascading effects on network trust and stability across European networks. However, the vulnerability requires access to authoritative IRRd instances, which may limit the scope to organizations operating these servers. Mirror-only IRRd instances, commonly used for read-only purposes, are not affected, somewhat reducing the overall exposure.
Mitigation Recommendations
The primary and only effective mitigation is to upgrade all affected IRRd authoritative instances to version 4.2.3 or later, where the vulnerability has been fixed. Organizations should audit their IRRd deployments to identify any instances running versions >=4.2.0 and <4.2.3 and prioritize patching. Since no workarounds exist, patch management is critical. Additionally, organizations should review access controls to IRRd query interfaces to restrict queries to trusted users and networks, minimizing the risk of unauthorized hash retrieval. Monitoring and logging of IRRd queries can help detect unusual access patterns indicative of reconnaissance or exploitation attempts. Network operators should also verify the integrity of their IRR objects post-patch to ensure no unauthorized changes have occurred. Employing strong, complex passwords for maintainer objects reduces the risk of successful brute-force attacks on any exposed hashes. Finally, organizations should consider implementing additional routing security measures such as Resource Public Key Infrastructure (RPKI) validation and BGP Origin Validation to mitigate the impact of potential IRR data tampering.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Switzerland
CVE-2022-24798: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer in irrdnet irrd
Description
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.
AI-Powered Analysis
Technical Analysis
CVE-2022-24798 is a vulnerability affecting the Internet Routing Registry daemon (IRRd) version 4, specifically versions 4.2.0 up to but not including 4.2.3. IRRd is a server software that manages Internet Routing Registry (IRR) databases, which store routing policy objects in the Routing Policy Specification Language (RPSL) format. These IRR databases are critical infrastructure components used by network operators to publish and share routing policies and maintain accurate routing information. The vulnerability arises from improper removal of sensitive information before storage or transfer (CWE-212). Specifically, IRRd did not consistently filter out password hashes in query responses related to 'mntner' objects (maintainer objects that include authentication credentials) and during database exports. As a result, an attacker able to query an authoritative IRRd instance could retrieve password hashes. These hashes could then be subjected to offline brute-force attacks to recover the clear-text passphrases. With the recovered credentials, an adversary could make unauthorized modifications to IRR objects, potentially altering routing policies or injecting malicious routing information. This vulnerability only affects IRRd instances that serve authoritative databases and process password hashes; mirror-only instances are not impacted. The issue was fixed in IRRd version 4.2.3 and the main development branch. Versions in the 4.1.x series were never affected. There are no known workarounds, so upgrading to 4.2.3 or later is strongly recommended. No known exploits have been observed in the wild to date. The vulnerability impacts the confidentiality and integrity of IRR data and could indirectly affect network availability if routing policies are maliciously altered.
Potential Impact
For European organizations, particularly Internet Service Providers (ISPs), network operators, and Internet Exchange Points (IXPs) that rely on IRRd authoritative instances to manage routing policies, this vulnerability poses a significant risk. Unauthorized access to maintainer credentials could allow attackers to modify routing objects, potentially leading to route hijacking, traffic interception, or denial of service through incorrect routing announcements. Such disruptions could affect critical infrastructure, financial institutions, government networks, and large enterprises dependent on stable and secure Internet routing. The impact on confidentiality arises from exposure of password hashes, while integrity is compromised by the possibility of unauthorized changes to IRR objects. Availability could be indirectly affected if routing disruptions occur. Given the central role of IRR in Internet routing security, exploitation could have cascading effects on network trust and stability across European networks. However, the vulnerability requires access to authoritative IRRd instances, which may limit the scope to organizations operating these servers. Mirror-only IRRd instances, commonly used for read-only purposes, are not affected, somewhat reducing the overall exposure.
Mitigation Recommendations
The primary and only effective mitigation is to upgrade all affected IRRd authoritative instances to version 4.2.3 or later, where the vulnerability has been fixed. Organizations should audit their IRRd deployments to identify any instances running versions >=4.2.0 and <4.2.3 and prioritize patching. Since no workarounds exist, patch management is critical. Additionally, organizations should review access controls to IRRd query interfaces to restrict queries to trusted users and networks, minimizing the risk of unauthorized hash retrieval. Monitoring and logging of IRRd queries can help detect unusual access patterns indicative of reconnaissance or exploitation attempts. Network operators should also verify the integrity of their IRR objects post-patch to ensure no unauthorized changes have occurred. Employing strong, complex passwords for maintainer objects reduces the risk of successful brute-force attacks on any exposed hashes. Finally, organizations should consider implementing additional routing security measures such as Resource Public Key Infrastructure (RPKI) validation and BGP Origin Validation to mitigate the impact of potential IRR data tampering.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf2bc5
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 11:35:51 AM
Last updated: 8/6/2025, 2:41:47 AM
Views: 16
Related Threats
CVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.