HCSEC-2020-09 - Vault's GCP Secrets Engine Service Account Keys Not Enforcing Configured TTL

Bulletin ID: HCSEC-2020-09
Affected Products / Versions: Vault and Vault Enterprise versions 1.3.5/1.4.0 through 1.4.1; fixed in 1.4.2.
Publication Date: 21 May, 2020

Vault and Vault Enterprise versions 1.3.5/1.4.0 through 1.4.2, configured with the GCP Secrets Engine may, under certain circumstances, incorrectly generate GCP Credentials with the default time-to-live lease duration, instead of the engine configured setting. This may lead to generated GCP credentials being valid for longer than expected. This vulnerability was assigned CVE-2020-12757 and fixed in 1.4.2.

Vault’s GCP Secrets Engine allows the Vault operator to configure a time-to-live (TTL) for GCP credentials that are issued.

Vault’s GCP Secrets Engine was observed to issue GCP credentials with Vault’s default TTL, rather than the TTL configured for the engine.

As described above, this is a vulnerability with conditions existing only in a subset of Vault deployments and use cases.

If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault or Vault Enterprise 1.4.2 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes

This issue was identified by an external party who reported it privately to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.