HCSEC-2021-18 - Terraform Enterprise Allowed Privilege Escalation Via Run Token

Bulletin ID: HCSEC-2021-18
Affected Products / Versions: Terraform Enterprise up to v202106-1; fixed in v202107-1.
Publication Date: July 20, 2021

Summary
Terraform Enterprise versions up to v202106-1 did not perform proper authorization checks for a subset of API requests performed using the run token, allowing for privilege escalation. This vulnerability, CVE-2021-36230, was fixed in Terraform Enterprise v202107-1.

Background
All Terraform operations within Terraform Enterprise are provided a unique, per-run token that allows them to read and/or write state from authorized workspace. This is explained in HashiCorp’s documentation about the Terraform Cloud/Enterprise run environment.

Details
During internal security testing, it was discovered that Terraform Enterprise was not performing the proper authorization checks on a subset of API requests performed using the run token. Run tokens were erroneously authorized to invite new users to the organization.

A malicious user with plan access to a workspace could leverage this weakness to perform privilege escalation.

Remediation
The required authorization check has been added. Customers should update to Terraform Enterprise v202107-1.

As part of regular operation of a Terraform Enterprise installation, customers should consider regularly reviewing users and associated privileges across organizations.

Acknowledgement
This issue was identified by the HashiCorp security team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.