HCSEC-2020-09 - Vault's GCP Secrets Engine Service Account Keys Not Enforcing Configured TTL

Bulletin ID: HCSEC-2020-09
Affected Products / Versions: Vault and Vault Enterprise versions 1.3.5/1.4.0 through 1.4.1; fixed in 1.4.2.
Publication Date: 21 May, 2020

Summary
Vault and Vault Enterprise versions 1.3.5/1.4.0 through 1.4.2, configured with the GCP Secrets Engine may, under certain circumstances, incorrectly generate GCP Credentials with the default time-to-live lease duration, instead of the engine configured setting. This may lead to generated GCP credentials being valid for longer than expected. This vulnerability was assigned CVE-2020-12757 and fixed in 1.4.2.

Background
Vault’s GCP Secrets Engine allows the Vault operator to configure a time-to-live (TTL) for GCP credentials that are issued.

Details
Vault’s GCP Secrets Engine was observed to issue GCP credentials with Vault’s default TTL, rather than the TTL configured for the engine.

Remediation
As described above, this is a vulnerability with conditions existing only in a subset of Vault deployments and use cases.

If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault or Vault Enterprise 1.4.2 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes

Acknowledgement
This issue was identified by an external party who reported it privately to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.