Research Team Discovers 18 Vulnerabilities in Crucial Internet Security Standard
Frankfurt and Darmstadt, April 11, 2024 – A team of researchers from the National Research Center for Applied Cybersecurity ATHENE has uncovered 18 vulnerabilities in Resource Public Key Infrastructure (RPKI), a crucial Internet standard used to protect against hacking attacks. The team, led by Prof. Dr. Haya Schulmann, found that these vulnerabilities could have had devastating consequences as they could be exploited by hackers for various malicious activities.
The ATHENE team, consisting of Prof. Dr. Haya Schulmann and Niklas Vogel from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT, uncovered and disclosed the vulnerabilities. The US National Institute of Standards and Technology (NIST) assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, with some being deemed critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and made it available free of charge to all developers of RPKI software.
The vulnerabilities were found in all popular implementations of the validator component of RPKI and ranged from crashes to violations of standard behavior, and even severe bugs that could allow a hacker to take over an RPKI certificate hierarchy and inject their own trust anchor. This would enable them to forge authentic and valid yet bogus routing information, also known as BGP announcements, potentially leading to various malicious activities such as phishing, data theft, and distribution of malware.
Although RPKI is a relatively new standard, it is already widely used, with about 50% of the Internet’s network prefixes and 37.8% of all Internet domains validating RPKI certificates. Many large providers and operators, including Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo, support RPKI.
The research was carried out in the Analytic Based Cybersecurity (ABC) research area of ATHENE and was presented at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The full research paper can be downloaded from the NDSS website, while the testing tool CURE can be found on GitHub.
ATHENE is a research center of the Fraunhofer Society, bringing together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With over 600 scientists, ATHENE is Europe’s leading cybersecurity research center and Germany’s top institution in this field. The center is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK).
For more information about ATHENE, please visit their website at https://www.athene-center.de/en/.
Media Contact:
Mrs. Cornelia Reitz
Email: cornelia.reitz@athene-center.de
Distributed by https://pressat.co.uk/