Miggo Logo

CVE-2021-3910: NUL character in ROA causes OctoRPKI to crash

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.65191%
Published
11/10/2021
Updated
2/14/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/cloudflare/cfrpkigo< 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in BER parsing. The commit 76f0f7a adds a bounds check to readObject() in ber.go, specifically addressing OOB reads when offset >= len(ber). The CWE-20 classification and crash scenario (processing NUL-containing ROA) align with missing bounds checks in this BER decoding function. While higher-level functions like BER2DER are listed as affected symbols, the root cause is clearly in readObject where the unsafe memory access occurred before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*toRPKI *r*s**s w**n *n*ount*rin* * r*pository t**t r*turns *n inv*li* RO* (just *n *n*o*** `NUL` (`\*`) ***r**t*r). ## P*t***s ## *or mor* in*orm*tion I* you **v* *ny qu*stions or *omm*nts **out t*is **visory *m*il us *t s**urity@*lou**l*r*.*om

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in **R p*rsin*. T** *ommit ******* ***s * *oun*s ****k to r***O*j**t() in **r.*o, sp**i*i**lly ***r*ssin* OO* r***s w**n o**s*t >= l*n(**r). T** *W*-** *l*ssi*i**tion *n* *r*s* s**n*rio (pro**ssi