HCSEC-2020-03 - Vault Enterprise’s Dynamic Secrets May Persist After Namespace Deletion

Bulletin ID: HCSEC-2020-03
Affected Products / Versions: Vault Enterprise 0.11.0 and newer; fixed in 1.3.2.
Publication Date: 22 January, 2020

A vulnerability was identified in Vault Enterprise such that when deleting a namespace, in certain circumstances, the deletion process will fail to revoke dynamic secrets for a mount in that namespace. This vulnerability, CVE-2020-7220, affects Vault Enterprise 0.11.0 and newer and is fixed in the upcoming 1.3.2 release.

Vault Enterprise namespaces allow tokens and secrets (dynamic or otherwise) to be managed within a multi-tenant environment.

Dynamic secrets managed by Vault are subject to a lease / renew / revoke lifecycle. By design, dynamic secrets should be revoked if their associated namespace is deleted.

When deleting a Vault Enterprise namespace, the deletion process may fail to revoke dynamic secrets for a mount in that namespace. This only happens to secret mounts whose API paths come after sys alphabetically. The affected dynamic secrets will remain alive in remote systems and Vault will fail to clean them up.

This vulnerability breaks the guarantee that dynamic secrets will be revoked in the configured time frame.

There are several conditions required:

  • Run Vault Enterprise 0.11.0 or above.
  • Create a namespace.
  • Create a mount with an API path after sys alphabetically.
  • Create dynamic secrets within that mount.
  • Delete the namespace.

As described above, this is a vulnerability with conditions existing only in a subset of Vault deployments and use cases.

If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault Enterprise 1.3.2 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes

Operators may also review their existing/previous namespaces, identity any mounts with an API after sys alphabetically, and assess any associated dynamic secrets within those mounts for exposure.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.