nanog mailing list archives
Re: rsync CVE-2022-29154 and RPKI Validation
From: Matt Corallo <nanog () as397444 net>
Date: Fri, 9 Sep 2022 14:39:01 -0400
On 9/9/22 1:58 PM, Vincent Bernat wrote:
On 2022-09-09 19:36, Matt Corallo wrote:The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directoryAh, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :(It's explained in the manual page: https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY
Heh, right, so not in any of the disclosure posts :p
(but it may be shared with several peers)I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no?Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory. Looking at cfrpki, it looks like it works this way (didn't test).
Hmm, ouch, is there a corresponding security disclosure from cfrpki? I guess cfrpki sees pretty limited use these days.
Thanks, Matt
Current thread:
- rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Matt Corallo (Sep 09)
- Re: rsync and RPKI Validation Geoff Huston (Sep 09)
- Re: rsync CVE-2022-29154 and RPKI Validation Vincent Bernat (Sep 08)