GSA_kwCzR0hTQS1jOHhwLThtZjMtNjJoOc0VmA

High EPSS: 0.0045% (0.62504 Percentile) EPSS:

Permalink JSON

OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values

Affected Packages	Affected Versions	Fixed Versions
go:github.com/cloudflare/cfrpki PURL: `pkg:go/github.com%2Fcloudflare%2Fcfrpki`	< 1.3.0	1.3.0
1 Dependent packages 1 Dependent repositories Affected Version Ranges All affected versions 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2 All unaffected versions 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10

Any CA issuer in the RPKI can trick OctoRPKI prior to https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate.

Impact

An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.

Patches

https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422

https://github.com/cloudflare/cfrpki/releases/tag/v1.3.0

For more information

If you have any questions or comments about this advisory:

Email us at security@cloudflare.com

References:

Identifiers

GHSA-c8xp-8mf3-62h9

CVE-2021-3761

Risk

Severity

High

EPSS

EPSS Percentage: 0.0045

EPSS Percentile: 0.62504

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/cloudflare/cfrpki

Date and time

Published

almost 4 years ago

Updated

over 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories