Skip to content

OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values

High
dhaynespls published GHSA-c8xp-8mf3-62h9 Sep 3, 2021

Package

gomod octorpki (Go)

Affected versions

< 1.3.0

Patched versions

1.3.0

Description

Any CA issuer in the RPKI can trick OctoRPKI prior to a8db4e0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate.

Impact

An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.

Patches

a8db4e0

https://github.com/cloudflare/cfrpki/releases/tag/v1.3.0

For more information

If you have any questions or comments about this advisory:

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2021-3761

Weaknesses

No CWEs

Credits