CVE-2024-45236 is a vulnerability discovered in Fort, an RPKI Relying Party software, affecting versions prior to 1.6.3. The issue arises when a malicious RPKI repository, which is descended from a trusted Trust Anchor, serves a signed object containing an empty signedAttributes field via rsync or RRDP protocols. Fort's implementation does not sanitize or validate the signedAttributes field before accessing its elements, leading to a crash when it encounters an empty field. Since Fort is responsible for validating Route Origin Authorizations (ROAs) to ensure the authenticity of IP prefix announcements, a crash results in the unavailability of Route Origin Validation (ROV). This unavailability can cause routers relying on Fort to accept potentially invalid or malicious route announcements, undermining the integrity of internet routing. The vulnerability is remotely exploitable without requiring any privileges or user interaction, making it a significant risk. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and the impact on availability. Although no exploits are known in the wild yet, the vulnerability represents a critical weakness in the RPKI ecosystem, which is fundamental to securing BGP routing. The underlying CWE is CWE-20 (Improper Input Validation), highlighting the failure to properly handle unexpected input data. No patches were listed at the time of publication, but upgrading to Fort 1.6.3 or later is expected to resolve the issue.

For European organizations, especially ISPs, network operators, and critical infrastructure providers relying on Fort for RPKI validation, this vulnerability can lead to significant routing disruptions. The crash of Fort instances results in the loss of Route Origin Validation, potentially allowing invalid or malicious BGP route announcements to propagate. This can cause traffic hijacking, interception, or denial of service at the network level. Given Europe's dense and interconnected internet infrastructure, such disruptions can cascade, affecting multiple networks and services. The impact is primarily on availability and the trustworthiness of routing information, which is critical for maintaining secure and stable internet operations. Organizations involved in national cybersecurity, telecommunications, and internet exchange points are particularly vulnerable. The lack of confidentiality or integrity impact means data theft or tampering is not directly enabled by this vulnerability, but the routing instability can indirectly facilitate broader attacks or outages.

To mitigate CVE-2024-45236, European organizations should: 1) Upgrade Fort to version 1.6.3 or later as soon as it becomes available, as this version addresses the input validation flaw. 2) Implement monitoring of RPKI repositories and validation software logs to detect anomalous signed objects or crashes indicative of exploitation attempts. 3) Employ redundancy in RPKI validation infrastructure, using multiple Relying Party implementations or instances to avoid single points of failure. 4) Coordinate with upstream RPKI Trust Anchor operators to verify repository integrity and report suspicious signed objects. 5) Harden network perimeter controls to limit exposure of RPKI validation services to trusted sources only. 6) Participate in information sharing communities to stay informed about emerging threats and patches related to RPKI. These steps go beyond generic advice by focusing on operational resilience and proactive detection tailored to the RPKI ecosystem.