CVE-2023-0158: 
NixOS vulnerability analysis and mitigation

CVE-2023-0158 affects NLnet Labs Krill, a software used for operating an RPKI Publication Server. The vulnerability was discovered in versions up to and including 0.12.0, where the built-in '/rrdp' endpoint could be exploited to cause server crashes. The issue was disclosed and patched in version 0.12.1 (NLnet Advisory).

The vulnerability exists in Krill's built-in web server functionality at the '/rrdp' endpoint. When a direct query is made for any existing directory under '/rrdp/', rather than an expected RRDP file such as '/rrdp/notification.xml', it causes the server to crash. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

If exploited, the vulnerability can cause the Krill publication server to crash, affecting the availability of the server and repository. While the repository content itself is not directly affected, persistent attacks can cause significant service disruption if not mitigated (NLnet Advisory).

Two mitigation options are available: 1) Follow the documented recommendation to use a separate web server for the RRDP content and disable direct access to the '/rrdp' endpoint, which is the preferred solution as dedicated web servers are better suited for handling high load HTTP traffic, or 2) Upgrade to Krill version 0.12.1 or later, which prevents the server from crashing due to direct queries to the '/rrdp' endpoint (NLnet Advisory).

The vulnerability was discovered and disclosed by GitHub user KittensAreDaBest, demonstrating the value of community involvement in security research (NLnet Advisory).