Fixing Recent Validation Vulnerabilities in OctoRPKI

On November 12th, a number of vulnerabilities in Resource Public Key Infrastructure (RPKI) validation software were disclosed by researchers from the University of Twente. These attacks exploit common assumptions across multiple RPKI implementations and some issues were found within OctoRPKI. Cloudflare customers do not need to take any action as no customer data was ever at risk, and no attempted exploitation has been observed. The company published a new release of OctoRPKI, v1.4.0, to address these vulnerabilities. RPKI is a cryptographic method used for signing records that associate BGP route announcements with the correct originating Autonomous System number. Undefined behavior in validation software and malicious inputs were identified as potential threats. Two classes of attacks disclosed in the NSCS advisory affected OctoRPKI: arbitrary file writes and crash or uncontrolled resource consumption. Cloudflare has implemented bounds checking across many components within OctoRPKI to mitigate these issues. The company is committed to ongoing support of RPKI and looks forward to continuing to work with the security community to make the Internet safer and more secure for everyone.