Bulletin ID: HCSEC-2020-18
Affected Products / Versions: vault-ssh-helper up to 0.1.6; fixed in 0.1.7.
Publication Date: 19 August, 2020
vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host’s network interface was located, rather than the specific IP address assigned to that interface. Assigned CVE-2020-24359 and fixed in 0.1.7.
vault-ssh-helper is a counterpart to HashiCorp Vault’s SSH backend. It allows a machine to consume One-Time-Passwords (OTP) created by Vault servers by allowing them to be used as client authentication credentials at SSH connection time.
It was observed that vault-ssh-helper incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host’s network interface was located, rather than the specific IP address assigned to that interface
Upgrade to vault-ssh-helper 0.1.7 or newer.
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.