Bulletin ID: HCSEC-2020-16
Affected Products / Versions: Vault and Vault Enterprise 0.7.1 and newer; fixed in 1.2.5, 1.3.8, 1.4.4 and 1.5.1.
Publication Date: 18 August, 2020
A vulnerability was identified in Vault and Vault Enterprise (“Vault”) such that, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM identities and roles may be manipulated and authentication bypassed. This vulnerability, CVE-2020-16250, affects Vault and Vault Enterprise versions 0.7.1 and newer, and is fixed in 1.2.5, 1.3.8, 1.4.4 and 1.5.1.
Vault can be integrated with third-party authentication systems through the use of Auth Methods, components that perform authentication and are responsible for assigning identity and a set of policies to a user. The AWS Auth Method integrates Vault authentication into either AWS’ IAM service, or EC2 service. This vulnerability only impacts the IAM method.
When using the IAM auth method, the Vault client generates a signed HTTPS request to the AWS Security Token Service (STS) GetCallerIdentity action. These requests are signed using AWS’ Signature Algorithm locally, and are forwarded to AWS via the Vault server. By signing these requests, it allows Vault’s AWS Auth Method to validate that the client is identified and authenticated to AWS IAM.
When configuring the AWS Auth Role, the Vault operator configures bound attributes that are extracted from the above GetCallerIdentityResponse XML and then validated. If the bound attributes are met, then a valid Vault token is returned.
It was reported that the GetCallerIdentityResponse XML data could be manipulated yet still relied upon by Vault. It was possible to spoof arbitrary AWS IAM identity information, including potentially bound attributes, which in turn may allow generation of legitimate Vault tokens. This could be done from any AWS account, including an account that doesn’t match the configured bound attributes.
- Vault is configured with the AWS Auth Method via IAM (not EC2).
- An attacker knows what attributes are bound to the AWS Auth Method Role and their expected values.
As described above, this is a vulnerability with conditions existing only in a subset of Vault deployments and use-cases. Vault deployments that do not use the AWS Auth Method with IAM are not affected".
If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault 1.2.5, 1.3.8, 1.4.4 and 1.5.1 or newer. These releases include changes to the AWS Auth Method to address this vulnerability.
The external vulnerability reporter plans to publish their findings on October 6, 2020. Affected Vault deployments should evaluate exposure and consider adopting one of these new releases prior to that date.
Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
This issue was identified by Felix Wilhelm of Google Project Zero.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.