Bulletin ID: HCSEC-2020-24
Affected Products / Versions: Vault Enterprise; fixed in 1.6.1 & 1.5.6.
Publication Date: 16 December, 2020
Summary
Vault Enterprise Sentinel EGP policies should be constrained to the namespace in which they’re applied, or to children namespaces. Incorrect parsing of the supplied path, when configuring EGP policies, allowed them to process requests in parent and sibling namespaces. This vulnerability, CVE-2020-35453, was fixed in Vault Enterprise 1.6.1 & 1.5.6.
Background
Sentinel EGP Policies are a Vault Enterprise feature that allows Operators to configure additional access control logic tied to paths within a Vault cluster. See https://www.vaultproject.io/docs/enterprise/sentinel for more information.
Details
An external party reported that they were able to apply Sentinel EGP Policies to a global path, allowing them to escalate part of their privileges to potentially influence operations in Vault namespaces that they shouldn’t have been able to.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.6.1, 1.5.6, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.