Severe Vulnerabilities Discovered in Software to Protect Internet Routing
A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.
The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.
RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.
The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.
Kontakter
Mrs. Cornelia Reitz
cornelia.reitz@athene-center.deAbout us
The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.
Följ news aktuell GmbH
Abonnera på våra pressmeddelanden. Endast mejladress behövs och den används bara här. Du kan avanmäla dig när som helst.
Senaste pressmeddelandena från news aktuell GmbH
Financial Year 2024: Weleda Achieves Record Turnover and Significantly Improves Profitability2.4.2025 11:30:00 CEST | Pressmeddelande
Turnover increased by 8.3% to EUR 456.2 million. Operating profit (EBIT excluding special effects) more than doubled from EUR 13.4 million to EUR 28.3 million. Both business units – Natural Cosmetics and Pharmaceuticals – delivered strong growth worldwide. Strategic growth drivers: internationalisation, digitalisation, innovation, and premiumisation. CEO Tina Müller: “2024 was a year of renewal for Weleda – and a very strong year for us economically. Our strategy of growth with responsibility is working.” CEO Tina Müller: “We have once again started the new financial year with strong momentum. We will continue our sustainable growth path with many innovations.”
Techem Sustainability Report 2024: Digitalization and innovation for more climate action1.4.2025 08:35:00 CEST | Pressmeddelande
Techem is expanding its digital platform to further increase sustainability and efficiency in buildings Expansion in residential and commercial properties: 1,514 new charging points for electric mobility in Germany Reduction of the company's own CO₂e emissions by around 18 percent compared to the base year 2020
CIVIS Media Prize 2025 | 29 productions nominated, 6 podcasts for public voting1.4.2025 08:19:49 CEST | Press Release
31.3.2025 Cologne (ots) | CIVIS Media Prize 2025 – 29 nominees for Europe's most important media prize for integration and cultural diversity have been shortlisted: Candidates for the CIVIS Media Prize include entries from ACB Stories, BR, cocktailfilms, Deutsche Welle, Deutschlandradio, Filmakademie Baden-Württemberg, kurhaus production Film & Medien, Little Dream Pictures, maximage, MDR, Neue Bioskop Film Leipzig, ORF, Pyramide Films, rbb, Salaud Morisset, SRF, Studio Zentral, SWR, Turbokultur, watson.ch, WDR and ZDF.
Xella achieves significant progress in CO₂ emissions reduction, circular economy, and occupational safety27.3.2025 11:53:22 CET | Press Release
Well positioned for sustainable growth with optimized network and enhanced processes
OpenCloud 2.0.0 offers enterprise services, support and “File Native Backup”27.3.2025 10:47:20 CET | Pressmeddelande
Berlin, Germany, March 27, 2025 – Following the successful release of OpenCloud 1.0 in February 2025, OpenCloud now launches its commercial offering including various enterprise service packages for its new solution for file management, file sharing and collaboration. OpenCloud 2.0.0 provides users with long-term software support, fast security updates, checks during update rollouts, high-availability solutions and personal support. OpenCloud can be run in in-house data centers or through selected partners. New feature for easy backup of large data volumes Version 2.0.0 also brings a new feature. “File Native Backup” makes it easy to back up data of any volume and includes a powerful full-text search. Unlike database-supported solutions, OpenCloud only requires a simple backup of the file system via a snapshot or file copy for a full, consistent backup. This means lower operating expenses, less risks of failure and process disruption, significant time saving, easier data backup and res
I vårt pressrum kan du läsa de senaste pressmeddelandena, få tillgång till pressmaterial och hitta kontaktinformation.
Besök vårt pressrum