CVE-2024-45234: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in Fort before version 1.6.3, identified as CVE-2024-45234. The issue involves a malicious RPKI repository that descends from a trusted Trust Anchor being able to serve (via rsync or RRDP) an ROA or a Manifest containing signedAttrs encoded in non-canonical form. This vulnerability was assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability bypasses Fort's BER decoder, reaching a point in the code that panics when faced with data not encoded in DER. The issue specifically relates to the handling of signedAttrs in ROA or Manifest files when they are not in canonical form. The vulnerability affects Fort-validator versions prior to 1.6.3 (FORT-CVE).

Because Fort is an RPKI Relying Party, a panic can lead to Route Origin Validation unavailability, which can subsequently lead to compromised routing. The primary impact is a crash that results in potential unavailability of Route Origin Validation (FORT-CVE, Debian-LTS).

The vulnerability has been fixed in Fort version 1.6.3 through commit 521b1a0. Users are advised to upgrade to version 1.6.3 or later to address this security issue. For Debian 11 bullseye users, the fix has been backported to version 1.5.3-1~deb11u2 (Debian-LTS).