HCSEC-2021-19 - Vault’s UI Cached User-Viewed Secrets Between Shared Browser Sessions

Bulletin ID: HCSEC-2021-19
Affected Products / Versions: Vault and Vault Enterprise up to 1.7.3 and 1.6.5; fixed in 1.8.0, pending in 1.7.4 and 1.6.6.
Publication Date: August 12, 2021

Summary
The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

Background
Vault offers an optional web-based UI for interacting with Vault which, among other features, provides the ability to view secrets with authorization enforced according to Vault policies.

The Vault UI is not activated by default, and requires ui=true to be set in the Vault configuration.

Details
The Vault UI web application failed to completely clear a client-side data cache on user logout. As a result, an authenticated user sharing a browser to access Vault may have been able to view the previous authenticated user’s cached secrets, even if they were not authorized by Vault policies to view them. This was possible if the following two conditions were met:

  1. The same browser instance must be used between sessions, and the window or tab must not have been closed or refreshed in between the user sessions.

  2. The exposed secret/s must have been viewed by the previous user.

Vault deployments that do not enable the Vault UI are not affected by this issue.

Remediation
Customers who enable and use the Vault UI should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.8.0 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Alternatively, to mitigate the risk if unable to upgrade, Vault UI users should avoid sharing a browser, or should ensure they close or refresh their browser window or tab between Vault login sessions by different users.

Acknowledgement
This issue was identified by Avinash Kumar who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.