HCSEC-2020-20 - Vault Leases Created with Batch Tokens have Invalid Expiration

Bulletin ID: HCSEC-2020-20
Affected Products / Versions: HashiCorp Vault and Vault Enterprise versions 1.0 and newer; fixed in 1.4.7 and 1.5.4.
Publication Date: 24 September, 2020

Summary
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. This vulnerability, CVE-2020-25816, was fixed in 1.4.7 and 1.5.4.

Background
Vault allows the issuance of batch token leases (documentation) that expire according to an associated time-to-life (TTL).

Details
It was observed that some batch token leases may have been issued with a longer TTL than indicated in the documentation, which states “[l]eases created by batch tokens are constrained to the remaining TTL of the batch tokens”. Vault was applying the default TTL to the new lease, instead of deferring to the batch token’s remaining TTL.

Remediation
If deemed necessary, based on deployment / use case, operators should upgrade to Vault 1.4.7 or 1.5.4, or newer.

Acknowledgement
This issue was identified by the Vault engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.

Update Regarding Risk Scoring

The CVSS score originally published to the NIST NVD for this issue was 9.8 (Critical), with a vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

In contrast, HashiCorp’s internal CVSS scoring was 6.8 (Medium), with a vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N.

Points for consideration regarding this score:

  • To exploit this vulnerability, the attacker must authenticate to Vault and have permissions to request (and be issued) a Batch Token. The original score had Privileges Required as None and Attack Complexity as Low but Privileges Required should at least be Low and Attack Complexity High to reflect the requirement for an attacker to obtain a valid token.
  • This vulnerability should not impact Availability.