CVE-2021-3978
Published: 29 January 2025
Summary
CVE-2021-3978 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cloudflare Octorpki. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2021-3978 affects octorpki, a component within Cloudflare's cfrpki project. The vulnerability arises when octorpki copies files using rsync with the "-a" flag, which preserves the suid bit on binaries even when the operation is performed as root. The default service definition for octorpki runs the process as root, exacerbating the issue by allowing suid binaries to retain elevated privileges during replication.
A local attacker with low privileges (PR:L) can exploit this vulnerability, but it requires high attack complexity (AC:H) and user interaction (UI:R). Exploitation depends on chaining it with another vulnerability that tricks octorpki into processing a malicious TAL file. Successful exploitation changes scope (S:C) and enables local privilege escalation, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 7.5. Associated weaknesses include CWE-269 and NVD-CWE-noinfo.
Mitigation details are outlined in the GitHub security advisory at https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85. The advisory references the root-running service definition at https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service, highlighting the need to address the rsync flag usage and service privileges.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-2286
Vulnerability details
When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a…
more
vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local privilege escalation by preserving setuid bits on binaries copied via rsync as root, directly mapping to exploitation for priv esc and abuse of setuid mechanisms when chained with malicious file processing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, testing, and installation of fixes for flaws like the rsync -a flag preserving suid bits in octorpki, preventing exploitation.
Enforces least privilege to prevent the octorpki service from running as root, eliminating privilege escalation risk from suid binaries during rsync copies.
Establishes and enforces secure configuration settings for rsync flags and service definitions to avoid suid bit preservation and root execution in octorpki.