CVE-2021-43173: 
NixOS vulnerability analysis and mitigation

CVE-2021-43173 affects NLnet Labs Routinator versions prior to 0.10.2. The vulnerability was discovered and disclosed in November 2021, impacting the validation process of the RPKI (Resource Public Key Infrastructure) validator. The vulnerability allows an RRDP repository to significantly delay validation runs by exploiting the connection timeout mechanism (NVD, Vendor Advisory).

The vulnerability stems from an improper implementation of timeout mechanisms in RRDP connections. While Routinator has a configurable timeout value, it only applies to individual read/write operations rather than the complete request. This allows an RRDP repository to continuously extend the request duration by sending small amounts of data before the timeout expires. The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

When exploited, this vulnerability can cause validation runs to stall indefinitely. As a result, Routinator either continues to serve old data sets or, if the exploitation occurs during the initial validation run after starting, may never serve any data at all (Vendor Advisory).

The vulnerability has been fixed in Routinator version 0.10.2. Users are advised to upgrade to this version or later to address the issue. Debian has also released security updates for affected packages in their distributions through DSA-5033-1 and DSA-5041-1 (Debian Advisory, Vendor Advisory).