rsync CVE-2022-29154 and RPKI Validation
Matt Corallo
nanog at as397444.net
Fri Sep 9 02:56:09 UTC 2022
Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to
write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI
validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their
release/security package streams.
Are rsync-based (or rsync-fallback, which I believe is still required for all RPKI validators?) RPKI
validators all vulnerable to takeover from this, or is there some reason why this doesn't apply to
RPKI validation?
Thanks,
Matt
[1] https://security-tracker.debian.org/tracker/CVE-2022-29154
[2] https://ubuntu.com/security/CVE-2022-29154
More information about the NANOG
mailing list