possible rsync validation dos vuln

Randy Bush randy at psg.com
Fri Oct 29 01:03:58 UTC 2021

received this vuln notice four days before these children intend to
disclose.  so you can guess how inclined to embargo.


From: Koen van Hove <k.w.vanhove at student.utwente.nl>
Subject: CVD: Vulnerabilities in RPKI Validators
To: randy at psg.com, sra at hactrn.net
Cc: cert at ncsc.nl
Date: Wed, 27 Oct 2021 14:59:21 -0700

Dear Randy Bush and Rob Austein,

Apologies, this email was previously sent to the wrong email address.

On behalf of the University of Twente and the National Cyber Security
Centre of the Netherlands (NCSC-NL) we want to notify you of a Coordinated
Vulnerability Disclosure for RPKI vulnerabilities that also impact rcynic
developed by Dragon Research Labs.

The vulnerabilities were discovered by scientific research on the
implementation of RPKI validators.
Together with you, the NCSC-NL, the University of Twente, and multiple
other parties, we would like to come to a timely solution before the
results of this research will be made public. More information about
Coordinated Vulnerability Disclosure can be found here [1].

The vulnerabilities are classified as a denial of service vulnerability and
impact multiple implementations of RPKI validators including rcynic. Since
RPKI is of international interest we hope that you will work together with
us on this CVD.

The goal is to have fixes available before 1 November which will also be
the date that the results of this research will become public. Before 1
November the information in the CVD, or the fact that a CVD is taking
place, is to be kept strictly confidential. The fixes are to be released
collectively on 1 November.

Please let us know whether you agree to these terms, and want to
participate in this CVD. If so, we will send you the details. We hope to
hear from you.

If there are any further questions, please let us know.

Yours sincerely,

Koen van Hove
University of Twente

[1] https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd

- --
Koen van Hove
Version: FlowCrypt Email Encryption 8.1.5
Comment: Seamlessly send and receive encrypted email


More information about the NANOG mailing list