nanog mailing list archives
Re: rsync CVE-2022-29154 and RPKI Validation
From: Vincent Bernat <bernat () luffy cx>
Date: Fri, 9 Sep 2022 08:36:58 +0200
On 2022-09-09 04:56, Matt Corallo wrote:
Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their release/security package streams.Are rsync-based (or rsync-fallback, which I believe is still required for all RPKI validators?) RPKI validators all vulnerable to takeover from this, or is there some reason why this doesn't apply to RPKI validation?
The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory (but it may be shared with several peers), so they should be safe.
Current thread:
- rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync and RPKI Validation Geoff Huston (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)