Bulletin ID: HCSEC-2021-20
Affected Products / Versions: Vault and Vault Enterprise 1.4.0 up to 1.7.3; fixed in 1.8.0.
Publication Date: August 12, 2021
When initializing Vault’s Integrated Storage backend, excessively broad filesystem permissions may be set for the underlying Bolt database used by Vault’s Raft implementation. This vulnerability, CVE-2021-38553, was fixed in Vault 1.8.0.
Vault’s Integrated Storage was introduced in Vault 1.4.0, providing a built-in highly available storage backend. As documented, the Integrated Storage backend uses the Raft consensus protocol, which uses BoltDB as an underlying datastore.
During initialization of the Integrated Storage backend, Vault creates a database file on disk with potentially excessive filesystem permissions, though these vary depending on the operating system’s umask values. This
vault.db file is written to the location configured by the
path parameter in Vault’s Raft configuration.
Most Vault environments are unlikely to have significant exposure as a result of this issue:
Only Vault clusters utilizing Integrated Storage are affected.
The default system umask on each Vault node will likely cause a less-broad permission to be applied.
In the Vault security model, storage backends are considered untrusted by design. Barrier encryption is applied before data is written to Vault storage backends including Integrated Storage, guarding against unauthorized access or tampering of data. However, the database file could be deleted, potentially resulting in denial of service.
Vault’s production hardening guide recommends a single tenancy model, which reduces the likelihood of another process or user manipulating the host’s filesystem.
Customers using Vault’s Integrated Storage should evaluate the risk associated with this issue in conjunction with the mitigating factors noted above, and consider reviewing and possibly updating filesystem permissions for the
vault.db file across their Vault nodes.
New deployments of Vault or Vault Enterprise 1.8.0 or newer will create the Integrated Storage database with more restrictive filesystem permissions by default.
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.