CVE-2021-3978
📋 TL;DR
CVE-2021-3978 is a local privilege escalation vulnerability in Cloudflare's octorpki RPKI validator. When combined with another vulnerability that allows processing malicious TAL files, attackers could gain root privileges on affected systems. This affects systems running vulnerable versions of octorpki with default service configurations.
💻 Affected Systems
- Cloudflare cfrpki/octorpki
📦 What is this software?
Octorpki by Cloudflare
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the system through privilege escalation, allowing complete control over the host and potential lateral movement.
Likely Case
Local attackers gaining root privileges on systems where they already have some access, enabling further system compromise.
If Mitigated
Limited impact if proper access controls and privilege separation are implemented, with the attack requiring multiple vulnerabilities to chain together.
🎯 Exploit Status
Requires chaining with another vulnerability to process malicious TAL files, making exploitation more complex
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in updated versions of cfrpki/octorpki
Vendor Advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85
Restart Required: No
Instructions:
1. Update octorpki to the latest version. 2. Verify the fix by checking that rsync no longer uses the -a flag with suid bit preservation. 3. Restart the octorpki service if it was running.
🔧 Temporary Workarounds
Run octorpki as non-root user
LinuxModify the service configuration to run octorpki with reduced privileges
Edit /etc/systemd/system/octorpki.service or equivalent and change User=root to User=nonprivilegeduser
systemctl daemon-reload
systemctl restart octorpki
Modify rsync behavior
allConfigure rsync to not preserve suid bits when copying files
Modify octorpki source code to remove -a flag from rsync calls or replace with --no-perms --no-owner --no-group
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the octorpki system
- Monitor for suspicious activity and unauthorized privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if octorpki is running as root and uses rsync with -a flag in its operationsCheck Version:
octorpki --version or check package version via system package managerVerify Fix Applied:
Verify octorpki version is updated and rsync calls no longer use -a flag with suid preservation📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Unauthorized suid bit modifications
- Suspicious rsync operations with -a flag
Network Indicators:
- Unusual outbound connections from octorpki process
SIEM Query:
process.name:octorpki AND user.name:root AND process.args:*rsync* AND process.args:*-a*