CVE-2024-45238: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in Fort before version 1.6.3, identified as CVE-2024-45238. The vulnerability affects the RPKI (Resource Public Key Infrastructure) validator when processing resource certificates from malicious RPKI repositories that descend from trusted Trust Anchors. The issue was discovered and disclosed by security researchers Niklas Vogel and Haya Schulmann (FORT CVE).

The vulnerability occurs when a malicious RPKI repository serves a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key, either via rsync or RRDP protocols. When Fort is compiled with OpenSSL libcrypto versions below 3, it recklessly dereferences the pointer since OpenSSL does not report this problem during parsing. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and is classified as a NULL Pointer Dereference (CWE-476) (NVD, Debian Security).

Because Fort is an RPKI Relying Party, a crash resulting from this vulnerability can lead to Route Origin Validation unavailability, which in turn can lead to compromised routing. This affects the overall security and reliability of the routing infrastructure (FORT CVE).

The vulnerability has been patched in Fort version 1.6.3 through commit 5689dea. Users are advised to upgrade to this version or later. For Debian 11 (bullseye) users, the fix has been backported to version 1.5.3-1~deb11u2 (Debian Security, FORT CVE).