CVE-2024-45238 is a vulnerability in Fort, an RPKI Relying Party software used to validate Route Origin Authorizations (ROAs) in internet routing security. The issue arises when Fort processes resource certificates served by a malicious RPKI repository that is descended from a trusted Trust Anchor. The attacker can craft a resource certificate containing a bit string that does not properly decode into a valid Subject Public Key. OpenSSL versions prior to 3 do not flag this malformed bit string during parsing, causing Fort to dereference an invalid pointer due to improper validation. This results in a crash of the Fort process, leading to unavailability of Route Origin Validation services. Since Fort is responsible for validating routing information, its failure can cause routing decisions to be made without RPKI validation, increasing the risk of route hijacking or misrouting. The vulnerability can be triggered remotely via rsync or RRDP protocols used to fetch RPKI data, requires no privileges or user interaction, and affects Fort versions before 1.6.3. The underlying cause relates to improper handling of null pointer dereference (CWE-476). Although no exploits are currently known in the wild, the vulnerability poses a significant risk to routing infrastructure relying on Fort for RPKI validation. The CVSS 3.1 base score is 7.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no impact on confidentiality or integrity, but high impact on availability.

For European organizations, especially ISPs, network operators, and internet exchange points relying on Fort for RPKI validation, this vulnerability can cause temporary loss of Route Origin Validation. This unavailability can lead to acceptance of invalid or malicious routing announcements, increasing the risk of route hijacking, traffic interception, or denial of service. Critical infrastructure providers and large enterprises dependent on secure routing may experience degraded network security posture and potential service disruptions. The impact is primarily on availability of routing validation, which indirectly affects integrity and trustworthiness of routing decisions. Given the increasing adoption of RPKI in Europe to secure BGP routing, exploitation could undermine routing security and trust in the affected networks. Although no direct confidentiality breach occurs, the potential for traffic misdirection or interception poses serious operational risks. The lack of known exploits suggests a window for proactive mitigation before active attacks emerge.

European organizations using Fort should upgrade to version 1.6.3 or later, where this vulnerability is fixed. If immediate upgrade is not possible, organizations should consider deploying network-level protections to restrict access to RPKI repositories, especially limiting rsync and RRDP traffic to trusted sources. Monitoring Fort logs for crashes or unusual behavior can provide early warning of exploitation attempts. Implementing redundancy in RPKI validation infrastructure can reduce impact of a single instance crashing. Additionally, organizations should verify that their OpenSSL libraries are updated to version 3 or later, as this mitigates the parsing issue at the cryptographic library level. Network operators should coordinate with upstream providers and RPKI Trust Anchor operators to ensure repository integrity and monitor for suspicious repository behavior. Regular vulnerability scanning and patch management processes should prioritize this update due to its impact on routing security. Finally, consider deploying fallback routing policies that minimize risk during RPKI validation outages.