Cyber Resilience

CVE-2021-3978

HighLPE

Published: 29 January 2025

Published
29 January 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0007 21.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3978 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cloudflare Octorpki. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2021-3978 affects octorpki, a component within Cloudflare's cfrpki project. The vulnerability arises when octorpki copies files using rsync with the "-a" flag, which preserves the suid bit on binaries even when the operation is performed as root. The default service definition for octorpki runs the process as root, exacerbating the issue by allowing suid binaries to retain elevated privileges during replication.

A local attacker with low privileges (PR:L) can exploit this vulnerability, but it requires high attack complexity (AC:H) and user interaction (UI:R). Exploitation depends on chaining it with another vulnerability that tricks octorpki into processing a malicious TAL file. Successful exploitation changes scope (S:C) and enables local privilege escalation, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 7.5. Associated weaknesses include CWE-269 and NVD-CWE-noinfo.

Mitigation details are outlined in the GitHub security advisory at https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85. The advisory references the root-running service definition at https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service, highlighting the need to address the rsync flag usage and service privileges.

EU & UK References

Vulnerability details

When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a…

more

vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1548.001 Setuid and Setgid Privilege Escalation
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context.
Why these techniques?

Vulnerability enables local privilege escalation by preserving setuid bits on binaries copied via rsync as root, directly mapping to exploitation for priv esc and abuse of setuid mechanisms when chained with malicious file processing.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0651Same vendor: Cloudflare
CVE-2026-29121Shared CWE-269
CVE-2024-13835Shared CWE-269
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2025-8899Shared CWE-269

Affected Assets

cloudflare
octorpki
≤ 1.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, testing, and installation of fixes for flaws like the rsync -a flag preserving suid bits in octorpki, preventing exploitation.

prevent

Enforces least privilege to prevent the octorpki service from running as root, eliminating privilege escalation risk from suid binaries during rsync copies.

prevent

Establishes and enforces secure configuration settings for rsync flags and service definitions to avoid suid bit preservation and root execution in octorpki.

References