CVE-2021-3761

Name of the Vulnerable Software and Affected Versions OctoRPKI versions prior to 1.3.0

Description Any CA issuer in the RPKI can trick OctoRPKI into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network, for example AS 13335 - Cloudflare, prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.

Recommendations For OctoRPKI versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the RTR sessions to minimize the risk of exploitation. Avoid using the MaxLength field in the VRP until the issue is resolved.