HCSEC-2020-18 - Vault SSH Helper Validated IP Addresses Incorrectly

Bulletin ID: HCSEC-2020-18
Affected Products / Versions: vault-ssh-helper up to 0.1.6; fixed in 0.1.7.
Publication Date: 19 August, 2020

Summary
vault-ssh-helper up to and including version 0.1.6 incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host’s network interface was located, rather than the specific IP address assigned to that interface. Assigned CVE-2020-24359 and fixed in 0.1.7.

Background
vault-ssh-helper is a counterpart to HashiCorp Vault’s SSH backend. It allows a machine to consume One-Time-Passwords (OTP) created by Vault servers by allowing them to be used as client authentication credentials at SSH connection time.

Details
It was observed that vault-ssh-helper incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host’s network interface was located, rather than the specific IP address assigned to that interface

Remediation
Upgrade to vault-ssh-helper 0.1.7 or newer.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.