HCSEC-2020-25 - Vault’s LDAP Auth Method Allows User Enumeration

Bulletin ID: HCSEC-2020-25
Affected Products / Versions: Vault and Vault Enterprise 1.4.1 and newer; fixed in 1.6.1 & 1.5.6.
Publication Date: 16 December, 2020

Vault and Vault Enterprise (“Vault”) allowed enumeration of users via the LDAP auth method. This vulnerability, CVE-2020-35177, was introduced in Vault 1.4.1 and fixed in Vault 1.6.1 and 1.5.6.

The Vault LDAP auth method (documented at LDAP - Auth Methods | Vault by HashiCorp) allows authentication using an existing LDAP server and user/password credentials.

An external party reported that they were able to enumerate LDAP users via error messages returned by Vault’s LDAP auth method.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.6.1, 1.5.6, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.