CVE-2024-45234 is a vulnerability in Fort, an RPKI relying party software used to validate Route Origin Authorizations (ROAs) and Manifests in the Resource Public Key Infrastructure (RPKI) system. The flaw arises when a malicious RPKI repository, which is trusted because it descends from a valid Trust Anchor, serves ROAs or Manifests containing signedAttrs encoded in a non-canonical BER (Basic Encoding Rules) format rather than the expected DER (Distinguished Encoding Rules) format. Fort’s BER decoder fails to properly handle this non-canonical encoding, bypassing normal validation checks and causing the software to panic (crash). This panic leads to unavailability of Route Origin Validation, a critical process that ensures that IP prefixes are only announced by authorized Autonomous Systems. Without this validation, routing decisions can be compromised, potentially allowing route hijacking or traffic interception. The vulnerability can be exploited remotely via standard RPKI repository synchronization protocols such as rsync or RRDP, without requiring authentication or user interaction. The CVSS v3.1 score of 7.5 reflects the vulnerability’s network attack vector, low attack complexity, no privileges required, and no user interaction, combined with a high impact on availability. While no public exploits are currently known, the vulnerability represents a significant risk to the security and stability of internet routing infrastructure relying on Fort. Fort versions prior to 1.6.3 are affected, and upgrading to 1.6.3 or later is necessary to remediate the issue. The vulnerability is associated with CWE-295 (Improper Certificate Validation), highlighting the importance of strict encoding validation in cryptographic protocols.

For European organizations, particularly ISPs, network operators, and internet exchange points that rely on Fort for RPKI validation, this vulnerability poses a serious risk to routing security and network availability. A successful exploit can cause Fort to crash, resulting in the loss of Route Origin Validation capabilities. This can lead to acceptance of invalid or malicious route announcements, enabling route hijacking, traffic interception, or denial of service through routing disruptions. Such incidents could impact critical infrastructure, financial institutions, government networks, and large enterprises dependent on stable and secure internet connectivity. The disruption of routing validation services could also undermine trust in the RPKI system, complicating incident response and remediation efforts. Given the network-wide impact of routing anomalies, the consequences can extend beyond a single organization, affecting broader internet stability and security within Europe.

European organizations using Fort should immediately upgrade to version 1.6.3 or later, where this vulnerability is fixed. In addition, network operators should implement strict validation of RPKI data encoding to detect and reject non-canonical BER encodings before they reach Fort. Deploying monitoring tools that alert on unexpected RPKI repository behavior or Fort process crashes can provide early warning of exploitation attempts. Organizations should also consider deploying redundant RPKI validators to maintain validation availability in case of a crash. Network operators can restrict access to RPKI repositories to trusted sources and monitor synchronization protocols (rsync, RRDP) for anomalies. Coordination with upstream providers and participation in information sharing groups focused on routing security can enhance situational awareness. Finally, organizations should review their incident response plans to include scenarios involving RPKI validation failures and routing hijacks.