CVE-2021-3978

CVE-2021-3978 affects octorpki, a component within Cloudflare's cfrpki project. The vulnerability arises when octorpki copies files using rsync with the "-a" flag, which preserves the suid bit on binaries even when the operation is performed as root. The default service definition for octorpki runs the process as root, exacerbating the issue by allowing suid binaries to retain elevated privileges during replication.

A local attacker with low privileges (PR:L) can exploit this vulnerability, but it requires high attack complexity (AC:H) and user interaction (UI:R). Exploitation depends on chaining it with another vulnerability that tricks octorpki into processing a malicious TAL file. Successful exploitation changes scope (S:C) and enables local privilege escalation, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 7.5. Associated weaknesses include CWE-269 and NVD-CWE-noinfo.

Mitigation details are outlined in the GitHub security advisory at https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85. The advisory references the root-running service definition at https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service, highlighting the need to address the rsync flag usage and service privileges.