National Research Center for Applied Cybersecurity ATHENE: Severe Vulnerabilities Discovered in Software to Protect Internet Routing

12.4.2024 08:49:14 CEST | news aktuell GmbH

Share

A research team from the National Research Center for Applied Cybersecurity ATHENE led by Prof. Dr. Haya Schulmann has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard meant to protect Internet traffic from being hijacked by hackers. By now, all affected vendors provided patches for their products. The vulnerabilities could have had devastating consequences: Internet hijacks have already been exploited, e.g., for phishing passwords and other sensitive information, tricking certificate authorities into issuing fraudulent Web certificates, stealing cryptocurrency, distributing malware, and poisoning caches of DNS servers.

Frankfurt and Darmstadt, April 2024

The ATHENE team consisting of Prof. Dr. Haya Schulmann and Niklas Vogel, both from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT uncovered and disclosed 18 vulnerabilities. The National Vulnerability Database (NVD), operated by the US National Institute of Standards and Technology (NIST), assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, some critical with a score of 9.3 out of 10. The team used a testing tool, CURE, which they developed specifically for this project and which ATHENE makes available free of charge to all developers of RPKI software. The researchers found vulnerabilities in all popular implementations of the validator component of RPKI. They range between crashes, violation of standard behavior, and even severe bugs that allow a network adversary to completely take over an RPKI certificate hierarchy in order to inject its own trust anchor – effectively being able to forge authentic and valid yet bogus routing information (i.e., BGP announcements). It is unknown whether any of the vulnerabilities were already exploited by hackers in the wild.

RPKI is a relatively new standard. Today, about 50% of the Internet’s network prefixes are covered by RPKI certificates, and 37.8% of all Internet domains validate RPKI certificates. In particular, many large providers and operators support RPKI, e.g., Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo.

The research work was carried out in the ATHENE research area Analytic Based Cybersecurity (ABC) (more information at https://abc.athene-center.de/en/ ) and appeared at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California, USA. The research paper can be downloaded from https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/. The testing tool CURE developed and used by the researchers to uncover the vulnerabilities can be downloaded from https://github.com/rp-cure/rp-cure.

The National Research Center for Applied Cybersecurity ATHENE is a research center of the Fraunhofer Society that brings together the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With more than 600 scientists, ATHENE is Europe's most prominent cybersecurity research center and Germany’s leading scientific research institution in this domain. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK). Further information about ATHENE can be found at https://www.athene-center.de/en/.

Press Contact: Mrs. Cornelia Reitz, cornelia.reitz@athene-center.de

Subscribe to releases from news aktuell GmbH

Subscribe to all the latest releases from news aktuell GmbH by registering your e-mail address below. You can unsubscribe at any time.

Latest releases from news aktuell GmbH

Nano-Care Deutschland AG launches next generation of sustainable PFAS-free oleophobic coatings29.4.2024 08:39:10 CEST | Press release

Nano-Care Deutschland AG, leader in the development of innovative surface finishes, is excited to announce the launch of its latest product range. Taking “next generation products” as its theme, the company is introducing a range of revolutionary solutions that not only offer maximum performance, but also place a strong emphasis on sustainability and environmental compatibility.

Additional partnership in medical technology: Bosch and R-Biopharm to strengthen Vivalytic analysis platform Plans to use innovative Bosch BioMEMS technology in PCR tests for multiresistant bacteria18.4.2024 10:15:00 CEST | Press release

Bosch and R-Biopharm are jointly investing 150 million euros in the development of new PCR tests and in marketing. PCR test for multiresistant gram-negative (MRGN) bacteria to be developed using novel BioMEMS technology. BioMEMS chips permit simultaneous testing of up to 250 genetic characteristics – in some cases, in less than 15 minutes. Darmstadt, Gerlingen, and Waiblingen, Germany – The market for medical technology is innovative, dynamic, and growing. Bosch sees medical technology as a strategic growth field and intends to expand its Bosch Healthcare Solutions subsidiary, based in Waiblingen. Bosch has now entered into a new partnership with the German diagnostics solutions company R-Biopharm. This partnership will be focused on Bosch’s universal, fully automated Vivalytic molecular diagnostic analysis platform. The two companies will invest a total of 150 million euros by the end of the decade. Within their strategic development and distribution partnership, the partners intend t

Elatec Brings Employee Badge for Apple Wallet to Users17.4.2024 08:45:03 CEST | Press release

Munich, April 17, 2024 – Elatec today announced it is bringing employee badge in Apple Wallet to its customers, enabling an organization’s employees or tenants to unlock access to locations and devices with a simple tap of their iPhone or Apple Watch. Powered by Elatec’s Mobile Credential Manager software, which works hand-in-hand with Elatec’s universal RFID readers, this brings together the world’s most powerful and versatile readers with the best mobile access system available. Employee badge in Apple Wallet helps deliver a convenient and contactless experience for users. Once enabled, employee badge in Apple Wallet allows users to seamlessly and securely add their employee badge to Apple Wallet, and hold their iPhone or Apple Watch near an NFC reader to unlock office doors, turnstiles, elevators and key card-protected amenity spaces — eliminating the need to open an app or present a traditional, plastic access key. With Express Mode, employees do not need to unlock their device to

Dr. Reddy's subsidiary betapharm, and Theranica launch Nerivio® in Germany to provide patients with drug-free migraine treatment10.4.2024 11:00:00 CEST | Press release

The launch in Germany through its step-down subsidiary betapharm marks Dr. Reddy's entry into digital therapeutics in Europe. Nerivio® is the first REN (wearable, FDA-cleared, and CE-marked for acute and/or prevention migraine (with or without aura) treatment for adults and adolescents (≥ 12 years). Nerivio® is worn on the upper arm during treatment and controlled by a smartphone app, making it comfortable and portable. Starting with Germany, followed by Spain and the UK, Dr. Reddy's plans to further increase access to Nerivio® in European countries.

In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.

Visit our pressroom
HiddenA line styled icon from Orion Icon Library.Eye