HCSEC-2021-28 - Vault's Google Cloud Secrets Engine Policies With Globs May Provide Additional Privileges in Vault 1.8.0 Onwards

Bulletin ID: HCSEC-2021-28
Affected Products / Versions: Vault and Vault Enterprise since 1.8.0.
Publication Date: October 7, 2021

Summary
The Google Cloud secrets engine in Vault or Vault Enterprise (“Vault”) 1.8.0 and above may provide users, under specific conditions, with more privileges than in prior versions. Due to changes in the underlying functionality of the Google Cloud secrets engine, policies that use globs (*) may provide more privileges in Vault versions 1.8.0 onwards. This possible configuration weakness has been assigned CVE-2021-42135.

Background
Vault’s Google Cloud secrets engine allows Vault to interact with Google Cloud and create scoped credentials or service accounts on the cloud platform. Vault’s policy syntax describes what actions a user can perform on a given path, and provides fine-grained access controls to help enforce the principle of least privilege to secrets stored in Vault.

Details
An external party reported that, starting with Vault 1.8.0, it was possible for permissive policies that use a glob (*) to grant them further permissions. The introduction of roleset-specific endpoints (noted in the 1.8.0 changelog) would allow a user with “read” permissions to the /gcp/roleset/* path to issue Google Cloud service account credentials.

If the Google Cloud secret engine policies do not contain a glob (*) or are otherwise sufficiently restrictive, the behavior remains unchanged.

Remediation
Vault’s Google Cloud secrets engine documentation has been updated to provide additional guidance regarding roleset-related policy definition.

Vault operators using the Google Cloud secrets engine, particularly running Vault 1.8.0 and above, should review their Vault policies to ensure they meet their requirements and adhere to the principle of least privilege. They should specifically look for policy with endpoints and glob usage as noted above and consider moving to a wildcard.

Acknowledgement
This issue was identified by mdgreenfield who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.