Comprehensive Technical Analysis of EUVD-2023-43614 (CVE-2023-39916)

Vulnerability: Path Traversal in NLnet Labs’ Routinator (RRDP Response Storage)

1. Vulnerability Assessment and Severity Evaluation

Vulnerability Overview

EUVD-2023-43614 (CVE-2023-39916) is a path traversal vulnerability in NLnet Labs’ Routinator, a widely used RPKI (Resource Public Key Infrastructure) Relying Party (RP) software. The flaw exists in the optional keep-rrdp-responses feature, which is disabled by default but can be enabled via configuration.

When enabled, Routinator stores RRDP (RPKI Repository Delta Protocol) responses on disk, with the storage path derived from the URL of the request. Due to insufficient input sanitization, an attacker can craft a malicious RRDP URL containing directory traversal sequences (e.g., ../) to write files outside the intended storage directory.

CVSS v3.1 Severity Analysis

Metric	Value	Explanation
Base Score	9.3 (Critical)	High impact on integrity and availability, with network-based exploitation.
Attack Vector (AV)	Network (N)	Exploitable remotely via crafted RRDP requests.
Attack Complexity (AC)	Low (L)	No special conditions required; straightforward exploitation.
Privileges Required (PR)	None (N)	No authentication or elevated privileges needed.
User Interaction (UI)	Required (R)	Requires a victim to enable the vulnerable feature (keep-rrdp-responses).
Scope (S)	Changed (C)	Exploitation affects components beyond the vulnerable software (e.g., filesystem).
Confidentiality (C)	None (N)	No direct impact on confidentiality (no data exfiltration).
Integrity (I)	High (H)	Arbitrary file writes can lead to code execution or system compromise.
Availability (A)	High (H)	Overwriting critical files (e.g., /etc/passwd, cron jobs) can disrupt services.

Key Observations:

• Critical severity (9.3) due to arbitrary file write capabilities, which can lead to remote code execution (RCE) if combined with other misconfigurations.
• User interaction is required (enabling the feature), reducing real-world exploitability but not eliminating risk.
• No confidentiality impact since the vulnerability does not allow reading files, only writing.

---

2. Potential Attack Vectors and Exploitation Methods

Exploitation Prerequisites

1. Feature Enablement: The keep-rrdp-responses option must be explicitly enabled in Routinator’s configuration (routinator.conf).
2. RRDP Server Control: The attacker must either:
   • Control an RRDP server (e.g., a malicious RPKI repository).
   • Intercept and modify RRDP traffic (MITM attack).
3. Crafted RRDP URL: The attacker must construct a malicious RRDP URL containing path traversal sequences (e.g., https://malicious-rrdp.example.com/../../../etc/cron.d/evil).

Exploitation Steps

1. Enable Vulnerable Feature: The victim must configure Routinator with:

   keep-rrdp-responses = true
   

2. Craft Malicious RRDP URL: The attacker prepares an RRDP URL with traversal sequences, e.g.:

   https://attacker.com/rrdp/../../../../tmp/exploit.sh
   

3. Trigger RRDP Request:
   • Routinator fetches the malicious RRDP response.
   • The response is stored at the unsanitized path, potentially outside the intended directory.
4. Achieve Arbitrary File Write:
   • If the attacker writes to sensitive locations (e.g., /etc/cron.d, /var/www/html, or a user’s .bashrc), they can:
     • Execute arbitrary commands (e.g., via cron jobs).
     • Overwrite critical system files (e.g., /etc/passwd).
     • Deploy web shells (if Routinator runs in a web-accessible directory).

Post-Exploitation Impact

• Privilege Escalation: If Routinator runs as root, the attacker can write to system directories.
• Persistence: Malicious cron jobs or startup scripts can maintain access.
• Lateral Movement: If Routinator is part of a larger RPKI infrastructure, the attacker may pivot to other systems.

---

3. Affected Systems and Software Versions

Vulnerable Versions

• Routinator versions 0.9.0 through 0.12.1 (inclusive).
• Fixed in version 0.12.2 (released September 13, 2023).

Affected Deployments

• RPKI Relying Parties (RPs): Organizations using Routinator for RPKI validation (e.g., ISPs, cloud providers, IXPs).
• Critical Infrastructure: RPKI is used to secure BGP routing, making this vulnerability relevant to internet routing security.
• European Impact: Given NLnet Labs’ prominence in European RPKI deployments, this affects EU-based networks relying on Routinator.

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Upgrade to Fixed Version:

   • Patch immediately to Routinator 0.12.2 or later.
   • Download from: https://nlnetlabs.nl/downloads/routinator/

2. Disable Vulnerable Feature:

   • If upgrading is not feasible, disable keep-rrdp-responses in routinator.conf:

     keep-rrdp-responses = false
     

3. Apply Least Privilege Principle:

   • Run Routinator as a non-root user with minimal filesystem permissions.
   • Use chroot/jail environments to restrict file system access.

4. Network-Level Protections:

   • Restrict RRDP traffic to trusted RPKI repositories.
   • Monitor for suspicious RRDP URLs (e.g., containing ../ sequences).

Long-Term Hardening

1. Input Validation & Sanitization:

   • Ensure all URL-derived paths are canonically resolved and restricted to the intended directory.
   • Implement allowlisting for RRDP repository URLs.

2. File System Hardening:

   • Use mandatory access controls (MAC) (e.g., SELinux, AppArmor) to restrict Routinator’s file operations.
   • Immutable filesystems (e.g., read-only /etc) can prevent unauthorized writes.

3. Monitoring & Detection:

   • Log all RRDP response storage events for forensic analysis.
   • Alert on unexpected file writes (e.g., outside /var/lib/routinator).

4. Dependency Management:

   • Regularly audit RPKI software for vulnerabilities.
   • Subscribe to NLnet Labs’ security advisories for future updates.

---

5. Impact on European Cybersecurity Landscape

Strategic Implications

1. RPKI Adoption & Trust:

   • RPKI is critical for BGP security, and vulnerabilities in Relying Party software undermine trust in the system.
   • EU’s NIS2 Directive mandates secure routing practices; this vulnerability could delay RPKI adoption due to perceived risks.

2. Supply Chain Risks:

   • Routinator is a key component in many European ISPs’ RPKI validation pipelines.
   • A successful exploit could disrupt BGP routing, leading to internet outages or BGP hijacking.

3. Regulatory & Compliance Concerns:

   • Organizations subject to GDPR, NIS2, or ENISA guidelines must patch promptly to avoid compliance violations.
   • ENISA’s role in tracking this vulnerability (via ENISA ID) highlights its cross-border impact.

4. Threat Actor Interest:

   • State-sponsored actors (e.g., APT groups) may exploit this to manipulate BGP routing for espionage or disruption.
   • Cybercriminals could use it for persistence or lateral movement in targeted attacks.

Mitigation at the EU Level

• ENISA & CERT-EU should coordinate patching efforts across member states.
• National CSIRTs should prioritize this vulnerability in critical infrastructure (e.g., IXPs, ISPs).
• RPKI operators should audit their Routinator deployments and monitor for exploitation attempts.

---

6. Technical Details for Security Professionals

Root Cause Analysis

• Vulnerable Code Path:

  • The keep-rrdp-responses feature in Routinator constructs file paths from RRDP URLs without proper sanitization.
  • The std::fs::create_dir_all and file write operations do not validate path traversal sequences.

• Proof of Concept (PoC):

  # Example malicious RRDP URL (simplified)
  curl -X GET "http://routinator.example.com/rrdp/../../../tmp/poc.txt" \
       -H "Content-Type: application/rpki-publication"
  

  • If keep-rrdp-responses is enabled, this writes poc.txt to /tmp/.

Exploitation Constraints

• User Interaction Required: The feature must be manually enabled.
• File System Permissions: Exploitation depends on Routinator’s runtime privileges.
• RRDP Server Control: The attacker must control or MITM an RRDP repository.

Detection & Forensics

1. Log Analysis:
   • Check Routinator logs for unexpected file writes:

     grep "Writing RRDP response" /var/log/routinator.log | grep "\.\./"
     

2. File System Monitoring:
   • Use auditd or FIM (File Integrity Monitoring) to detect unauthorized writes:

     auditctl -w /var/lib/routinator -p wa -k routinator_file_write
     

3. Network Traffic Analysis:
   • Inspect RRDP traffic for malicious URLs (e.g., containing ../).

Advanced Mitigation Techniques

• eBPF-Based Sandboxing:
  • Use eBPF programs to restrict Routinator’s file operations.
• Containerization:
  • Run Routinator in a Docker container with read-only filesystems.
• Seccomp Filters:
  • Restrict system calls (e.g., open, write) to prevent path traversal.

---

Conclusion

EUVD-2023-43614 (CVE-2023-39916) is a critical path traversal vulnerability in Routinator that, if exploited, allows arbitrary file writes with severe implications for BGP security and system integrity. While the feature is disabled by default, organizations using Routinator for RPKI validation must patch immediately or disable the vulnerable option.

Given the EU’s reliance on RPKI for secure routing, this vulnerability poses a significant risk to internet infrastructure and requires coordinated mitigation efforts across member states. Security teams should audit their deployments, monitor for exploitation, and implement hardening measures to prevent future incidents.

Recommended Actions: ✅ Upgrade to Routinator 0.12.2+ ✅ Disable keep-rrdp-responses if patching is delayed ✅ Restrict Routinator’s filesystem permissions ✅ Monitor for suspicious RRDP traffic and file writes ✅ Coordinate with ENISA/CERT-EU for large-scale deployments