possible rsync validation dos vuln

Randy Bush randy at psg.com
Fri Oct 29 01:03:58 UTC 2021


received this vuln notice four days before these children intend to
disclose.  so you can guess how inclined to embargo.

randy


From: Koen van Hove <k.w.vanhove at student.utwente.nl>
Subject: CVD: Vulnerabilities in RPKI Validators
To: randy at psg.com, sra at hactrn.net
Cc: cert at ncsc.nl
Date: Wed, 27 Oct 2021 14:59:21 -0700

Dear Randy Bush and Rob Austein,

Apologies, this email was previously sent to the wrong email address.

On behalf of the University of Twente and the National Cyber Security
Centre of the Netherlands (NCSC-NL) we want to notify you of a Coordinated
Vulnerability Disclosure for RPKI vulnerabilities that also impact rcynic
developed by Dragon Research Labs.

The vulnerabilities were discovered by scientific research on the
implementation of RPKI validators.
Together with you, the NCSC-NL, the University of Twente, and multiple
other parties, we would like to come to a timely solution before the
results of this research will be made public. More information about
Coordinated Vulnerability Disclosure can be found here [1].

The vulnerabilities are classified as a denial of service vulnerability and
impact multiple implementations of RPKI validators including rcynic. Since
RPKI is of international interest we hope that you will work together with
us on this CVD.

The goal is to have fixes available before 1 November which will also be
the date that the results of this research will become public. Before 1
November the information in the CVD, or the fact that a CVD is taking
place, is to be kept strictly confidential. The fixes are to be released
collectively on 1 November.

Please let us know whether you agree to these terms, and want to
participate in this CVD. If so, we will send you the details. We hope to
hear from you.

If there are any further questions, please let us know.

Yours sincerely,

Koen van Hove
University of Twente

[1] https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd

- --
Koen van Hove
-----BEGIN PGP SIGNATURE-----
Version: FlowCrypt Email Encryption 8.1.5
Comment: Seamlessly send and receive encrypted email

wsDzBAEBCgAGBQJhecu4ACEJEPnqm/++VTh9FiEE5Q3GCKqW0RQyUpA/+eqb
/75VOH1CjwwAq8Hd0psDhfj6mL4X9ybLGogONpzFKYp9Okv9/CKzQvG4AkLR
Cvrz3vHlQRKJP8I2PYSLZvtG9D/HXjjKcU+m24jjl2qbKKuSwprqQhLAqabN
Md+RZFjQGve5Z4vtJsfhXKc4PhaAzMujVc4Mh5Mdbs4sFEdrub1hSnYKlcQV
PvS/O9SpCYU0E0IC1I455HXxSXUtme+KHtzbGIWQe/mz4KpnZD2Me/Cr1LvG
Od9izri0Qx5vF+kdpR51PEiwHgN+QkmnUP6Gkrca8TSC2x3ta9B1/ZprdCoZ
ZYQ7QUFUAkfV+tKCMaBECNOrnDjw8E9GonvzmqpDHBtKBZ3LaxjZX/sxuuTC
+Ele5nVeWW0ZFqrbanbPy9y1q04tFQd8ewdSN40iXdTj7Ha8GadUhcdSLWqJ
cLmf71qUAvdwpp0Bt1nhExpU/bEtAaxfnEcTRDX43yUkZXSqV5BxYEyneSLj
IvFV9AUi56Cx45ESkGRR1ASuCzoc8FCjRH7KOWnaL3fl
=YQZI
-----END PGP SIGNATURE-----


More information about the NANOG mailing list