HCSEC-2021-06 - Terraform Enterprise Organization-Level MFA Requirement Was Not Enforced

Bulletin ID: HCSEC-2021-06
Affected Products / Versions: Terraform Enterprise, fixed in release v202103-1.
Publication Date: 23 March, 2021

Summary
Terraform Enterprise did not enforce the organization-level setting to require all users within an organization to enable two-factor authentication. This vulnerability, CVE-2021-3153, was fixed in Terraform Enterprise v202103-1.

Background
Terraform Enterprise organizations are a shared space for teams to collaborate on workspaces in. Organization owners may configure their organization to require all members to enable two-factor authentication.

Details
It was discovered that Terraform Enterprise did not enforce the organization-level setting which required all users within an organization to enable two-factor authentication. It was possible for individual users to be added to an organization without having two-factor authentication, even when that organization-level setting was enabled.

Note that the two-factor authentication mechanism itself was not affected by this vulnerability, has been tested, and remains effective.

Remediation
Terraform Enterprise customers should evaluate the risk associated with this issue and consider upgrading to v202103-1 or newer.

Acknowledgement
This issue was identified by the team at Mox Bank, who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.