HCSEC-2022-09 - Vault PKI Secrets Engine Policy Results In Incorrect Wildcard Certificate Issuance

Bulletin ID: HCSEC-2022-09
Affected Products / Versions: Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3; fixed in 1.8.9 and 1.9.4.
Publication Date: March 4, 2022

Vault and Vault Enterprise (“Vault”) allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. This vulnerability, CVE-2022-25243, was fixed in Vault Enterprise 1.8.9 and 1.9.4.

Vault’s PKI secrets engine provides several PKI role policy attributes that allow an operator to granularly define policies:

  • allow_bare_domains specifies if the policy can issue a certificate for the exact domain in allowed_domains (e.g., example[.]com).
  • allow_glob_domains permits the use of a glob * characters in patterns specified in allowed_domains. When disabled, * in a allowed_domain entry will be treated as a wildcard character.
  • allow_subdomains restricts the issuance of wildcard certificates and certificates for subdomains of those listed in allowed_domains.
  • allowed_domains in combination with the above attributes define an allowlist of domains which this role can issue against.

It was reported that Vault’s PKI secrets engine was unexpectedly permitting the issuance of wildcard certificates when allow_subdomains was set to false. The scenario in question required allow_bare_domains be set to true as well as at least one domain without globs (e.g., example[.]com or subdomain[.]example[.]com) be in the allowed_domains field of a PKI issuance role.

One mitigating factor is that the allow_bare_domains attribute is false by default and must be explicitly enabled by an operator.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.8.9 and 1.9.4, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was independently identified by both the Vault engineering team and an external party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.