KRILL

We take security very seriously. If you have found a security issue in krill, please submit a security report.


Triggered Krill crash on direct RRDP access

Date:2023-01-17
CVE:CVE-2023-0158
Credit:user KittensAreDaBest on GitHub
Affects:Krill up to and including 0.12.0
Not affected:Earlier versions
Severity:Medium
Impact:Crash after receiving a specially crafted query
Solution:Install Krill 0.12.1 or newer

Krill can be used to operate an RPKI Publication Server. If used in this way, it is recommended that the RPKI repository "RRDP" (RFC 8182) content is served using a separate and dedicated web server. See documentation for Krill 0.12.0.

However, Krill also supports direct access to this repository content through its built-in web server at the "/rrdp" endpoint. It was discovered that a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash.

If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated.

The preferred solution is to follow the documented recommendation to use a separate web server for the RRDP content, and disable direct access to the "/rrdp" endpoint. This solution is (and was) preferred because dedicated web servers are much better suited to handle high load HTTP traffic compared to the built-in HTTP application server.

Krill 0.12.1 also ensures that direct queries to the "/rrdp" endpoint will no longer result in a crash.