HCSEC-2021-03 - Vault API Endpoint Allowed Enumeration of Secrets Engine Mount Paths Without Authentication

Bulletin ID: HCSEC-2021-03
Affected Products / Versions: Vault and Vault Enterprise, all prior versions; fixed in 1.6.2 & 1.5.7.
Publication Date: 29 January, 2021

Summary
Vault and Vault Enterprise (“Vault”) allowed the enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. This vulnerability, CVE-2020-25594, was fixed in Vault 1.6.2 & 1.5.7.

Background
Vault operators are able to mount Secrets Engines at customizable paths. Secrets engines are components which store, generate, or encrypt data.

Details
An external party reported that they were able to enumerate legitimate Secrets Engines mount paths by brute forcing Vault’s API with unauthenticated HTTP requests.

Note that knowledge of the existence of a Secrets Engine mount is not critical to the Vault security model, but this is considered unnecessary information disclosure.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.6.2, 1.5.7 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by Toyota Connected who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.