nanog mailing list archives
Re: rsync CVE-2022-29154 and RPKI Validation
From: Vincent Bernat <bernat () luffy cx>
Date: Fri, 9 Sep 2022 19:58:35 +0200
On 2022-09-09 19:36, Matt Corallo wrote:
The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directoryAh, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(
It's explained in the manual page: https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY
(but it may be shared with several peers)I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no?
Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory. Looking at cfrpki, it looks like it works this way (didn't test).
Current thread:
- rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync and RPKI Validation Geoff Huston (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)