rsync CVE-2022-29154 and RPKI Validation

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2022-09-09 04:56, Matt Corallo wrote:
> Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows 
> malicious remote servers to write arbitrary files inside the directories 
> of connecting peers") and its potential impact on RPKI validators? It 
> looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in 
> their release/security package streams.
> 
> Are rsync-based (or rsync-fallback, which I believe is still required 
> for all RPKI validators?) RPKI validators all vulnerable to takeover 
> from this, or is there some reason why this doesn't apply to RPKI 
> validation?

The attacker is still limited to the target directory. The attacker can 
send files that were excluded or not requested, but they still end up in 
the target directory. RPKI validators download stuff in a dedicated 
download directory (but it may be shared with several peers), so they 
should be safe.

• Previous message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Next message (by thread): rsync CVE-2022-29154 and RPKI Validation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]