HCSEC-2020-25 - Vault’s LDAP Auth Method Allows User Enumeration

Bulletin ID: HCSEC-2020-25
Affected Products / Versions: Vault and Vault Enterprise 1.4.1 and newer; fixed in 1.6.1 & 1.5.6.
Publication Date: 16 December, 2020

Summary
Vault and Vault Enterprise (“Vault”) allowed enumeration of users via the LDAP auth method. This vulnerability, CVE-2020-35177, was introduced in Vault 1.4.1 and fixed in Vault 1.6.1 and 1.5.6.

Background
The Vault LDAP auth method (documented at LDAP - Auth Methods | Vault by HashiCorp) allows authentication using an existing LDAP server and user/password credentials.

Details
An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.6.1, 1.5.6, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.