Bulletin ID: HCSEC-2020-06
Affected Products / Versions: Vault and Vault Enterprise 0.9.0 and newer; fixed in 1.3.4.
Publication Date: 19 March, 2020
Summary
A vulnerability was identified in Vault and Vault Enterprise (“Vault”) such that, under certain circumstances, an Entity’s Group membership may inadvertently include external Groups the Entity no longer has permissions to. This vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions 0.9.0 and newer and is fixed in 1.3.4.
Background
Vault’s identity store can be integrated with 3rd party authentication systems through the use of Auth Methods. Some Auth Methods include the ability to return ‘group’ information to Vault, which Vault can then use to map its own Entity-Group mapping.
Details
In certain circumstances, if an authenticating entity has a group removed in the 3rd party authentication system, Vault may not remove that Entity-Group mapping correctly. This may lead to an authenticated entity having access to Vault Groups they are no longer meant to.
Conditions:
- Rely on Auth Methods for authentication and group membership
- Have configured Vault Policies against Groups
- If the following steps occur, for a particular Entity:
- An entity authenticates with 3rd party groups configured
- The 3rd party groups for that entity get reduced to zero
- If the entity then re-authenticates to Vault they will still retain the previously mapped groups and their permissions
Remediation
As described above, this is a vulnerability with conditions existing only in a subset of Vault deployments and use-cases.
If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault 1.3.4 or newer. All new successful authentication requests will update the Entity-Group mappings.
Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.