HCSEC-2021-27 - Vault Merging Multiple Entity Aliases for the Same Mount May Allow Privilege Escalation

Bulletin ID: HCSEC-2021-27
Affected Products / Versions: Vault and Vault Enterprise through 1.7.4 and 1.8.3; fixed in 1.7.5 and 1.8.4.
Publication Date: October 7, 2021

Summary
A Vault or Vault Enterprise (“Vault”) user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

Background
Vault’s Identity secrets engine is the identity management solution for Vault. It has the concept of entities which may have aliases for each mount accessor they use. There is additional information regarding these entity and alias concepts in Vault’s Identity Secrets Engine documentation, and the Identity: Entities and Groups tutorial.

Details
An external party reported that it was possible for a single entity to end up with multiple entity aliases of the same name and mount. On internal investigation, it was observed that this behavior may be exploited by an authenticated user with specific write permissions to achieve escalation of privileges.

Renaming an alias requires write permission to the alias ID. In most configurations, this permission is reserved to privileged users who may otherwise be able to obtain these permissions.

Prior to versions 1.7.5 and 1.8.4, Vault would already provide a warning to users on merge (identity: alias is already tied to a different entity; these entities are being merged). As of 1.7.5 and 1.8.4, the alias rename operation will now fail if the resulting entity alias name and mount accessor combination exists.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.7.5 or 1.8.5. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

As noted in Vault’s Identity documentation, care should be taken when granting permissions to identity endpoints.

Acknowledgement
This issue was identified by mdgreenfield who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.