Severe Vulnerabilities Discovered in Software to Protect Internet Routing

11.4.2024 16:51:22 CEST | news aktuell GmbH | Pressmeddelande

Dela

A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.

The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.

RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.

The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.

Kontakter

Mrs. Cornelia Reitz

cornelia.reitz@athene-center.de

About us

The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.

Följ news aktuell GmbH

Abonnera på våra pressmeddelanden. Endast mejladress behövs och den används bara här. Du kan avanmäla dig när som helst.

Senaste pressmeddelandena från news aktuell GmbH

enomyc enters next growth phase with Ufenau Capital Partners8.5.2026 08:05:14 CEST | Press Release

Building a leading transformation and restructuring advisory platform in the DACH region with an international perspective

City of Innsbruck: A model for actively shaping Europe7.5.2026 14:12:47 CEST | Press Release

Emperor Maximilian Prize 2026 for the “European Youth FOrum Neumarkt”

Global governance report highlights future shock risks as democratic accountability slips and state capacity plateaus7.5.2026 08:08:39 CEST | Press Release

Los Angeles/DNA - The newly released 2026 Berggruen Governance Index (BGI) paints a mixed picture of global governance heading into a future of mounting shocks, finding widespread gains in public-goods provision from 2000 to 2023 even as democratic accountability edged down and state capacity showed little overall improvement. The BGI, presented Wednesday by an international group of governance scholars, analyses measurable benchmarks of democratic accountability across 145 countries. On a 100-point scale, the global score for democratic accountability slipped slightly from 65 in 2000 to 64 in 2023, the most recent data used in the project. The wave of democratisation observed in the closing decades of the last century has stalled in the last 15 years. Democratic accountability fell in 54 countries while it improved in 48 countries. Yet the BGI — a collaborative project of the Luskin School of Public Affairs at the University of California, Los Angeles (UCLA), Berlin’s Hertie School an

Europeans call for greater independence: Support for U.S. as Europe’s Top Ally Drops Sharply7.5.2026 08:00:00 CEST | Press Release

Europe is rethinking its place in the world. After decades of close cooperation with the United States, nearly three in four EU citizens now say the Union should ‘go its own way’. A clear majority of Europeans do not see the U.S. as a trustworthy partner any longer. A year and a half into the Trump presidency, the share of respondents identifying the U.S. as Europe’s most valuable ally has fallen by 20 percentage points. While China fails to gain ground as an alternative partner, Europeans are recalibrating alliances within the West. A new study by Bertelsmann Stiftung illustrates this shift.

BIK Behavioural Verification technology as the response to the growing wave of digital fraud in the African financial market5.5.2026 09:00:00 CEST | Press Release

05.05.2026, Warsaw, POLAND - Biuro Informacji Kredytowej (BIK), Credit Information Bureau, the leading organization in Poland for credit data exchange and anti-fraud systems, has formed a strategic alliance with Fair Score Africa. Fair Score Africa is an Award Winning pioneer in credit repair and re-integration, alternative credit scoring and in tackling financial exclusion, based in South Africa. This collaboration aims to implement the Polish-developed BIK Behavioural Verification Platform in seven key African markets, with the goal of reducing financial fraud. Amidst the rapid digitalization of financial services across Africa, an increase in fraudulent activities is threatening transaction security and emerging as a significant challenge to the stability of developing economies.

I vårt pressrum kan du läsa de senaste pressmeddelandena, få tillgång till pressmaterial och hitta kontaktinformation.

Besök vårt pressrum