CVE-2022-24798 in IRRdinfo

Summary

by MITRE • 04/01/2022

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/02/2022

The CVE-2022-24798 vulnerability affects the Internet Routing Registry daemon version 4, an IRR database server that processes IRR objects in RPSL format. This daemon serves as a critical component in internet routing infrastructure, maintaining database records that control routing policies and access permissions for network resources. The vulnerability specifically targets instances that maintain authoritative databases rather than mirror databases, creating a significant security gap in the IRR ecosystem where password hash exposure could compromise system integrity.

The technical flaw resides in the daemon's insufficient filtering mechanisms during query responses and database exports, particularly concerning `mntner` objects which contain maintenance group information and associated password hashes. This weakness allows adversaries to extract password hashes from legitimate query responses, creating an attack surface that could be exploited through brute-force attacks against the clear-text passphrases. The vulnerability represents a failure in proper access control and data sanitization practices within the IRRd software architecture, violating fundamental security principles of least privilege and proper data isolation.

The operational impact of this vulnerability extends beyond simple information disclosure, as compromised password hashes could enable unauthorized modifications to IRR objects, potentially allowing attackers to manipulate routing policies and disrupt internet connectivity. This risk is particularly severe in the context of routing infrastructure where unauthorized changes could have cascading effects across global internet routing. The vulnerability affects only authoritative IRRd instances, meaning mirror-only deployments remain unaffected, but this limitation does not mitigate the risk for organizations maintaining their own authoritative databases.

Organizations using IRRd version 4.2.x are strongly advised to upgrade immediately to version 4.2.3 or later, as this represents the first patched release addressing the issue. The vulnerability was not present in the 4.1.x series, making version 4.2.x installations the primary concern for remediation efforts. Security teams should implement comprehensive monitoring of IRRd instances to detect any potential exploitation attempts and ensure proper access controls are maintained. This vulnerability aligns with CWE-200 (Information Exposure) and could be leveraged through ATT&CK techniques involving credential access and privilege escalation. The fix implemented in version 4.2.3 addresses the root cause by properly sanitizing query responses and database exports to prevent password hash leakage while maintaining system functionality.

Responsible

GitHub, Inc.

Reservation

02/10/2022

Disclosure

04/01/2022

Moderation

accepted

CPE

ready

EPSS

0.01366

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!