CVE-2024-56169: 
Linux Debian vulnerability analysis and mitigation

A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI Relying Parties (such as Fort) are supposed to maintain a backup cache of the remote RPKI data that can be employed as a fallback in case a new fetch fails or yields incorrect files. However, the product currently uses its cache merely as a bandwidth saving tool (because fetching is performed through deltas). This vulnerability was discovered in December 2024 and affects Fort validator versions up to 1.6.4 (NVD, FORT CVE).

The vulnerability stems from Fort's improper implementation of cache management. While the software maintains a cache, it is only utilized for bandwidth optimization through delta fetching rather than serving its intended purpose as a backup mechanism. When a fetch operation fails midway or results in incorrect files, the system lacks a proper fallback mechanism, leaving it without viable backup data (FORT CVE). The issue has been assigned a CVSS v3.1 Base Score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD).

The primary impact of this vulnerability is incomplete Route Origin Validation data. When fetch operations fail or yield incorrect files, the system cannot fall back to previously validated data, potentially leading to incomplete or inaccurate routing information (FORT CVE).

A fix for this vulnerability is scheduled for Fort release 2.0.0. The issue was identified through GitHub issue #82, which highlighted the need for proper RFC 9286 compliance (FORT Issue, FORT CVE).