news aktuell GmbH

Severe Vulnerabilities Discovered in Software to Protect Internet Routing

11.4.2024 16:51:22 CEST | news aktuell GmbH

Dela

A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.

The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.

RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.

The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.

Kontakter

About us

The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.

Följ news aktuell GmbH

Abonnera på våra pressmeddelanden. Endast mejladress behövs och den används bara här. Du kan avanmäla dig när som helst.

Senaste pressmeddelandena från news aktuell GmbH

Nillion is pleased to announce that Dwinity, a team pioneering decentralized AI has joined as an ecosystem partner2.5.2024 09:13:22 CEST | Press release

Zug/ Munich April 2024 Nillion is pleased to announce that Dwinity, a team pioneering decentralized AI has joined as an ecosystem partner With huge amounts of personal data being collected every day, privacy concerns are escalating as the impact of data breaches become more costly. The need to address the problems created by the existing data economy have never been greater. By empowering users to reclaim control, Dwinity aims to unlock an enormous amount of potential for personal data to enhance various industries like healthcare, insurance, and finance. About Dwinity Dwinity’s mission is to give power back to users and to create a thriving data economy in which information asymmetry is finally removed. Dwinity enables a decentralized data economy as well as creates a data ownership driven ecosystem for storage, analysis, exchange, and commercialization of sensitive personal data. The three components of Dwinity are: Data control: Decentralized data spaces for decentralized data stora

Report: BRICS+ likely new counterpoint to G7-led geopolitical order2.5.2024 09:05:42 CEST | Press release

Los Angeles/DNA - The expansion of the BRICS group of nations into what has informally been named BRICS+ could highlight a geopolitical shift, with the new grouping positioning itself as a counterpoint to the Western-led geopolitical order, a report published by the Luskin School of Public Affairs at the University of California Los Angeles (UCLA) argues. The report, titled "Towards A New Global Contestation? Comparing the Governance Performance of G7 and BRICS+ Nations" examines how the ten BRICS+ countries compare to the G7 nations on factors such as provision of public goods, quality of democracy and quality of governance. It uses the Berggruen Governance Index (BGI) to measure the governance performance of countries in these three dimensions. In January 2024, Saudi Arabia, Iran, Ethiopia, Egypt and the United Arab Emirates (UAE) joined the BRICS group. The term BRICS was originally coined by an economist in the 2000s to refer to a group of emerging economies: Brazil, Russia, India,

Sahel elites must move away from 'zero-sum' policies, report urges2.5.2024 08:59:23 CEST | Press release

Los Angeles/DNA - A dual economic strategy focusing on domestic economic development and international partnerships to address the underlying challenges facing the Sahel region could help Burkina Faso, Mali, Niger and Sudan to build more resilient institutions and foster long-term development, a recently published report says. The report by the Luskin School of Public Affairs at the University of California Los Angeles (UCLA) argues that the four countries should aim to transition away from relying exclusively on resource extraction. It attributes much of the challenges facing the four countries on unsustainable economic policies which focus on the export of raw materials. Despite some improvements in terms of public goods provision - in particular regarding social and environmental public goods - these countries continue to face significant developmental challenges, ranking among the world's poorest. Titled "Political Instability and Economic Development in the Sahel: Governance in Bu

Nano-Care Deutschland AG launches next generation of sustainable PFAS-free oleophobic coatings29.4.2024 08:02:50 CEST | Pressmeddelande

Rehlingen-Siersburg – Nano-Care Deutschland AG, leader in the development of innovative surface finishes, is excited to announce the launch of its latest product range. Taking “next generation products” as its theme, the company is introducing a range of revolutionary solutions that not only offer maximum performance, but also place a strong emphasis on sustainability and environmental compatibility.

I vårt pressrum kan du läsa de senaste pressmeddelandena, få tillgång till pressmaterial och hitta kontaktinformation.

Besök vårt pressrum
HiddenA line styled icon from Orion Icon Library.Eye