National Research Center for Applied Cybersecurity ATHENE: Severe Vulnerabilities Discovered in Software to Protect Internet Routing

12.4.2024 08:49:14 CEST | news aktuell GmbH

Share

A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.

Frankfurt and Darmstadt, April 2024

The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.

RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.

The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.

The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.

Press Contact: Mrs. Cornelia Reitz, cornelia.reitz@athene-center.de

Subscribe to releases from news aktuell GmbH

Subscribe to all the latest releases from news aktuell GmbH by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from news aktuell GmbH

Gerhard Burits takes on new role at the ELATEC Group / RFID specialist ELATEC: New management duo with many years of experience23.7.2024 09:00:00 CEST | Press release

Munich, July 23, 2024 – Gerhard Burits expands his responsibilities and assumes the role of CEO of the ELATEC Group. Thanks to his in-depth knowledge of the company structure and his strategic foresight, he is ideally qualified to reinforce ELATEC’s position as an innovation leader in global competition. The management board will have joint leaders at the helm: Also on board is Paul Massey, who, as CEO of ELATEC Inc., is now also taking on the role of COO of the ELATEC Group and contributing his international expertise to a greater extent. Gerhard Burits, who joined the company in June 2020 as Chief Financial Officer (CFO), has been appointed Chief Executive Officer (CEO) of ELATEC GmbH. Over the past four years, he has made a significant contribution as CFO to financial stability and international growth, positioning ELATEC excellently with his strategic expertise. As CEO, he is now determined to reinforce the ELATEC Group’s technological lead, strengthen its presence on the global ma

Grünenthal acquires US-company Valinor Pharma and becomes global owner of Movantik®22.7.2024 10:05:22 CEST | Press release

Grünenthal acquires the pharmaceutical company Valinor Pharma, further strengthening Grünenthal’s footprint in the United States. With the acquisition, Grünenthal becomes the global owner of Movantik® / Moventig® (naloxegol). Since 2017, Grünenthal has invested more than €2 billion in successful M&A transactions, significantly strengthening its profitability. Aachen, Germany, 22 July 2024 – Grünenthal today announced the acquisition of US-based Valinor Pharma, LLC (“Valinor”) and its product Movantik® (naloxegol), with a total deal value of approx. $250 million inclusive of all royalty obligations. Grünenthal will finance the transaction using available liquidity. Movantik® is indicated for the oral treatment of opioid-induced constipation (OIC) in adult patients with chronic non-cancer pain. The transaction further expands Grünenthal’s portfolio of established medicines and adds to the company’s growing U.S. business. Gross sales from Movantik® in the United States reached over $200 m

FitLine becomes Official Partner of the ATP Tour18.7.2024 09:05:20 CEST | Press release

(London/Schengen, July 18th, 2024) FitLine is proud to announce a new multi-year partnership with the world’s top-tier men’s tennis tour. The athletes will benefit from the FitLine products, with the brand being the new Official Sports Nutrition Partner and Official Energy Bar Partner of the ATP Tour. The ATP Tour chose FitLine as its new Official Partner due to the shared commitment to supporting athletic performance and clean sport, both for professional and recreational athletes alike. “We’re delighted to welcome Fitline to the ATP Tour’s partner roster. The synergies between our brands are evident, with both organisations dedicated to optimising athletic performance”, said Massimo Calvelli, ATP CEO. “This partnership reflects the ATP Tour's appeal to global partners and our strength in engaging fans digitally.” FitLine’s premium products are developed and distributed exclusively by PM-International. CEO, Rolf Sorg, added, “Through our partnership with the ATP Tour, we are proud tha

In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.

Visit our pressroom
HiddenA line styled icon from Orion Icon Library.Eye