Bulletin ID: HCSEC-2021-15
Affected Products / Versions: Vault and Vault Enterprise, versions 0.10.0 through 1.7.1; fixed in 1.5.9, 1.6.5, and 1.7.2.
Publication Date: May 20, 2021
Summary
Vault and Vault Enterprise (“Vault”) allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. This vulnerability, CVE-2021-32923, was fixed in Vault and Vault Enterprise 1.5.9, 1.6.5, and 1.7.2.
Background
Vault’s core authentication method uses tokens, which are managed with a lease / renew / revoke lifecycle. Leases are created and tokens issued by Vault auth methods on successful authentication. Token leases may have a time-to-live (“TTL”) and a maximum TTL, and may be renewed multiple times until their maximum TTL is reached.
Vault dynamic secrets functionality, associated with a subset of Vault’s secrets engines, uses the same lease / renew / revoke and TTL mechanism.
Details
Several Vault operators reported unexpected behavior where a subset of token leases were being renewed with incorrect non-expiring leases.
On investigation, a renewal logic flaw was identified such that when a token lease or dynamic secret lease was renewed inside the last second of its maximum TTL, the renewed lease would have a TTL set to the remaining seconds of maximum TTL (0 seconds, rounded down), which was incorrectly treated as non-expiring during subsequent use. This resulted in these tokens and dynamic secrets living past their lifetime and not being revoked.
Exposure was a narrow window of time which generally affected only a small subset of renewals. It is believed that automation-driven renewals operating under tight time tolerances may have been more susceptible to this issue.
An existing Vault token is required in order to exploit this issue.
Remediation
Customers should evaluate the risk associated with this issue, and consider upgrading to Vault Enterprise 1.5.9 / 1.6.5 / 1.7.2 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
After upgrade, Vault will reject renewal requests received for leases with less than 1 second remaining of their maximum TTL, in the same manner as it rejects renewal requests for leases past their maximum TTL.
During the upgrade process, Vault will automatically expire any existing token leases and dynamic secret leases that are non-expiring because of this renewal logic flaw. Any cleanup activity will be written to the Vault server log (log entry will match “finished revoking incorrectly non-expiring lease”), and lease identifiers included in those logs may be mapped back to the Vault audit log for further investigation.
Acknowledgement
This behavior was identified by several external parties who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.