CVE-2022-24798

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. The issue occurred: * For `mntner` objects where all password hash names (`MD5-PW` and `CRYPT-PW`) were in lower or mixed case in the `auth` attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the `export_destination` setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected. * For any GraphQL queries that queried the `auth` field on `mntner` objects. * For any GraphQL queries that queried the `objectText` field on the `journal` field on `mntner` objects, if the `nrtm_access_list` setting permitted journal access. The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]

El demonio Internet Routing Registry versión 4 es un servidor de base de datos IRR, que procesa objetos IRR en el formato RPSL. IRRd no siempre filtraba los hashes de las contraseñas en las respuestas de las consultas relacionadas con los objetos "mntner" y las exportaciones de la base de datos. Esto podía permitir a adversarios recuperar algunos de estos hashes, llevar a cabo una búsqueda por fuerza bruta de la frase de contraseña en texto sin cifrar y usarlos para realizar cambios no autorizados en los objetos IRR afectados. Este problema sólo afectó a las instancias que procesan hashes de contraseñas, lo que significa que se limita a las instancias de IRRd que sirven a bases de datos autorizadas. Las instancias de IRRd que funcionan únicamente como réplicas de otras bases de datos de IRR no están afectadas. Esto ha sido corregido en IRRd versión 4.2.3 y en la rama principal. Las versiones de la serie 4.1.x nunca fueron afectadas. Es recomendado encarecidamente a usuarios de la serie 4.2.x actualizar. no se presentan medidas de mitigación conocidas para este problema