A research team from the National Research Centre for Applied Cybersecurity ATHENE, led by Prof. Dr. Haya Schulmann, has revealed 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI, an Internet standard designed to safeguard Internet traffic from hacker hijacking, was found to be susceptible to exploitation. All affected vendors have since provided patches for their products. The vulnerabilities posed significant risks, with instances of Internet hijacks already being exploited for various malicious activities, including phishing, fraudulent certificate issuance, cryptocurrency theft, malware dissemination, and DNS server cache poisoning.
The ATHENE team, comprising Prof. Dr. Haya Schulmann and Niklas Vogel from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT, uncovered and disclosed the 18 vulnerabilities. These vulnerabilities were documented by the National Vulnerability Database (NVD), managed by the US National Institute of Standards and Technology (NIST), with five Common Vulnerabilities and Exposures (CVE) entries assigned, some with critical severity ratings reaching 9.3 out of 10. Leveraging a testing tool named CURE, specifically developed for this project, the team detected vulnerabilities in all popular implementations of RPKI’s validator component. These vulnerabilities varied from crashes to violations of standard behaviour and even severe bugs enabling network adversaries to seize control of an RPKI certificate hierarchy, potentially injecting their own trust anchor. This would allow them to fabricate authentic yet bogus routing information, such as BGP announcements. It remains uncertain if any of these vulnerabilities have been exploited by hackers in real-world scenarios.
Despite being a relatively recent standard, RPKI has gained adoption, covering approximately 50% of the Internet’s network prefixes, with 37.8% of all Internet domains validating RPKI certificates. Notably, major providers and operators, including Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo, support RPKI.
This research was conducted within the ATHENE research area Analytic Based Cybersecurity (ABC) and was presented at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper is available for download on the NDSS Symposium website. Additionally, the testing tool CURE, utilised by the researchers to uncover the vulnerabilities, is accessible for download from GitHub.
