CVE-2021-3761
📋 TL;DR
This vulnerability allows any Certificate Authority (CA) issuer in the Resource Public Key Infrastructure (RPKI) to trick OctoRPKI versions prior to 1.3.0 into emitting invalid MaxLength values in Validated ROA Payloads (VRPs). This causes RTR sessions to terminate, potentially disabling RPKI Origin Validation in victim networks like Cloudflare (AS 13335), enabling BGP hijacks that would normally be rejected. Affected systems are those running vulnerable OctoRPKI versions in RPKI validation deployments.
💻 Affected Systems
- OctoRPKI
📦 What is this software?
Octorpki by Cloudflare
⚠️ Risk & Real-World Impact
Worst Case
An attacker disables RPKI Origin Validation in a major network, then successfully executes a BGP hijack that redirects internet traffic, potentially causing widespread service disruption, data interception, or man-in-the-middle attacks.
Likely Case
RTR session termination causes temporary disruption of RPKI validation, allowing limited BGP hijack opportunities or causing BGP routing churn that leads to network instability and availability issues.
If Mitigated
With proper patching, the vulnerability is eliminated; RPKI validation continues normally, preventing exploitation of this specific attack vector.
🎯 Exploit Status
Exploitation requires the attacker to be a CA issuer in RPKI, but no authentication is needed beyond that; the attack leverages protocol manipulation rather than code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.0
Vendor Advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9
Restart Required: Yes
Instructions:
1. Stop the OctoRPKI service. 2. Update OctoRPKI to version 1.3.0 or later using your package manager or from source. 3. Restart the OctoRPKI service. 4. Verify the update by checking the version and monitoring RTR sessions.
🔧 Temporary Workarounds
Temporary RTR Session Monitoring
linuxMonitor RTR sessions for unexpected termination and manually restart them if needed to maintain RPKI validation.
# Monitor RTR session logs: tail -f /var/log/octorpki.log | grep -i 'rtr'
# Restart OctoRPKI service if sessions drop: systemctl restart octorpki
🧯 If You Can't Patch
- Isolate OctoRPKI instances from untrusted networks or CAs to reduce attack surface.
- Implement additional BGP security measures like BGPsec or prefix filtering to mitigate potential hijacks if RPKI validation fails.
🔍 How to Verify
Check if Vulnerable:
Check the OctoRPKI version; if it is below 1.3.0, the system is vulnerable. Use: octorpki --version or check the installed package version.Check Version:
octorpki --versionVerify Fix Applied:
After updating, confirm the version is 1.3.0 or higher and monitor RTR sessions for stable connections without unexpected terminations.📡 Detection & Monitoring
Log Indicators:
- Unexpected RTR session termination logs in OctoRPKI
- Errors related to MaxLength values or VRP validation
Network Indicators:
- Sudden drops in RTR connections from RPKI validators
- Increased BGP update churn or routing instability
SIEM Query:
source="octorpki.log" AND ("RTR session terminated" OR "MaxLength error")