CVE-2022-3029

Fatal error on incorrect base64 data in RRDP

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data.

En NLnet Labs Routinator versiones 0.9.0 hasta 0.11.2 incluyéndola, debido a un error en el manejo de errores, los datos en los archivos RRDP snapshot y delta que no están correctamente codificados en base 64 son tratados como un error fatal y causan una salida de Routinator. El peor caso de impacto de esta vulnerabilidad es la negación de servicio para los datos RPKI que Routinator proporciona a los routers. Esto puede impedir que la red compruebe los orígenes de las rutas basándose en los datos RPKI. Esta vulnerabilidad no permite a un atacante manipular los datos RPKI

*Credits: We would like to thank Donika Mirdita and Haya Shulman from Fraunhofer SIT and ATHENE for discovering and reporting the issue.

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-08-29 CVE Reserved
2022-09-13 CVE Published
2024-04-05 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-241: Improper Handling of Unexpected Data Type

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nlnetlabs Search vendor "Nlnetlabs"		Routinator Search vendor "Nlnetlabs" for product "Routinator"				>= 0.9.0 <= 0.11.2 Search vendor "Nlnetlabs" for product "Routinator" and version " >= 0.9.0 <= 0.11.2"		-		Affected