HCSEC-2021-30 - Vault's Templated ACL Policies Matched First-Created Alias Per Entity and Auth Backend

Bulletin ID: HCSEC-2021-30
Affected Products / Versions: Vault and Vault Enterprise 0.11.0 through 1.7.5 and 1.8.4; fixed in 1.7.6, 1.8.5 and 1.9.0.
Publication Date: November 18, 2021

Summary
Vault and Vault Enterprise (“Vault”) templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Background
Vault’s identity secrets engine is the identity management solution for Vault. It has the concept of entities which may have aliases for each mount accessor they use. Vault generally expects a single alias per entity and authentication backend.

There is additional information regarding these entity and alias concepts in Vault’s Identity Secrets Engine documentation, and the Identity: Entities and Groups tutorial. Additional information regarding templated ACL policies can be found in the Templated Policies documentation, and the ACL Policy Path Templating tutorial.

Details
An external party reported that it was possible for a single entity to have multiple entity aliases for a same entity and mount combination when using templated ACL policies. It was observed that such cases may result in incorrect policies being applied; permissions of the first-created entity alias continue to be enforced, but will also be enforced for the newly-created alias.

As of 1.7.6, 1.8.5, and 1.9.0, Vault will now prevent the creation of new entity aliases if one already exists for a given entity and mount combination. Vault will also provide a warning to operators on startup, should multiple entity aliases exist for the same entity and mount combination: One or more entities have multiple aliases on the same mount(s), remove duplicates to avoid ACL templating issues.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.7.6, 1.8.5, or 1.9.0. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by Christian Baumann and Nick Triller who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.

Update Regarding Risk Scoring

The CVSS score originally published to the NIST NVD for this issue was 9.1 (Critical), with a vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

In contrast, HashiCorp’s internal CVSS scoring was 5.9 (Medium), with a vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N.

To exploit this vulnerability, an attacker requires write permissions to the identity/entity-alias endpoint, generally reserved to privileged Vault operators. In most cases, it is likely that such a user would be able to legitimately and directly assign themselves those policies without needing to exploit this vulnerability. As a result, we’ve assessed both attack complexity and privileges required as high.