ATHENE Research Team Discovers Critical Vulnerabilities in Internet Security Standard
A team of researchers from the National Research Center for Applied Cybersecurity ATHENE has uncovered 18 vulnerabilities in crucial software components of Resource Public Key Infrastructure (RPKI). RPKI is an Internet standard designed to protect Internet traffic from being hijacked by hackers.
Led by Prof. Dr. Haya Schulmann, the research team has identified and disclosed these vulnerabilities, which could have had devastating consequences if left unaddressed. The team includes Prof. Dr. Haya Schulmann and Niklas Vogel from Goethe University of Frankfurt, Donika Mirdita from TU Darmstadt, and Prof. Dr. Michael Waidner from TU Darmstadt and Fraunhofer SIT.
The National Vulnerability Database (NVD) has assigned five Common Vulnerabilities and Exposures (CVE) entries to these vulnerabilities, with some being deemed critical with a score of 9.3 out of 10. The ATHENE team utilized a testing tool called CURE, which they developed specifically for this project and is now available for all developers of RPKI software to use free of charge.
The vulnerabilities were found in all popular implementations of the validator component of RPKI, ranging from crashes and violations of standard behavior to severe bugs that could allow a network adversary to take over an RPKI certificate hierarchy. This would enable them to inject their own trust anchor and forge authentic and valid yet bogus routing information, such as BGP announcements. It is currently unknown if any of these vulnerabilities have already been exploited by hackers.
RPKI is a relatively new standard, with about 50% of the internet’s network prefixes currently covered by RPKI certificates and 37.8% of all internet domains validating RPKI certificates. Many large providers and operators, including Amazon Web Services, Cogent, Deutsche Telekom, Level 3, and Zayo, support RPKI.
The research was conducted in the ATHENE research area Analytic Based Cybersecurity (ABC) and was presented at the 2024 Network and Distributed System Security (NDSS) Symposium in San Diego, California. The research paper can be found on the NDSS website, and the testing tool CURE is available for download on GitHub.
ATHENE is a research center of the Fraunhofer Society, which brings together several institutions, including the Fraunhofer Institutes for Secure Information Technology (SIT) and for Computer Graphics Research (IGD), Technische Universität Darmstadt, Goethe-Universität Frankfurt am Main, and Darmstadt University of Applied Sciences. With over 600 scientists, ATHENE is Europe’s leading cybersecurity research center and the top scientific research institution in Germany for this field. ATHENE is supported by the German Federal Ministry of Education and Research (BMBF) and the Hessian Ministry for Higher Education, Research, Science and the Arts (HMWK).
For more information about ATHENE, please visit https://www.athene-center.de/en/. For press inquiries, please contact Mrs. Cornelia Reitz at cornelia.reitz@athene-center.de.
Derick is an experienced reporter having held multiple senior roles for large publishers across Europe. Specialist subjects include small business and financial emerging markets.