CVE-2021-3978
Published: 29 January 2025
Summary
CVE-2021-3978 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cloudflare Octorpki. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, testing, and installation of fixes for flaws like the rsync -a flag preserving suid bits in octorpki, preventing exploitation.
Enforces least privilege to prevent the octorpki service from running as root, eliminating privilege escalation risk from suid binaries during rsync copies.
Establishes and enforces secure configuration settings for rsync flags and service definitions to avoid suid bit preservation and root execution in octorpki.
NVD Description
When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a…
more
vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
Deeper analysisAI
CVE-2021-3978 affects octorpki, a component within Cloudflare's cfrpki project. The vulnerability arises when octorpki copies files using rsync with the "-a" flag, which preserves the suid bit on binaries even when the operation is performed as root. The default service definition for octorpki runs the process as root, exacerbating the issue by allowing suid binaries to retain elevated privileges during replication.
A local attacker with low privileges (PR:L) can exploit this vulnerability, but it requires high attack complexity (AC:H) and user interaction (UI:R). Exploitation depends on chaining it with another vulnerability that tricks octorpki into processing a malicious TAL file. Successful exploitation changes scope (S:C) and enables local privilege escalation, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 7.5. Associated weaknesses include CWE-269 and NVD-CWE-noinfo.
Mitigation details are outlined in the GitHub security advisory at https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85. The advisory references the root-running service definition at https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service, highlighting the need to address the rsync flag usage and service privileges.
Details
- CWE(s)