HCSEC-2022-15 - Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node

Bulletin ID: HCSEC-2022-15
Affected Products / Versions: Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0; fixed in 1.9.8, 1.10.5, and 1.11.1.
Publication Date: July 25, 2022

Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1.

Vault Enterprise nodes operating in high availability mode (HA) with Integrated Storage have the ability to add new nodes to the cluster. This is accomplished through the join CLI command or its accompanying API endpoint. Included in the API request is a parameter to change the voter status of the node. By design, this specific operation requires no authentication to interact with the API, but it does require the targeted node to be unsealed to complete a challenge/response with the leader node.

It was reported that the /sys/storage/raft/join API endpoint was able to be called multiple times for a given node, even after a successful join. Modifying the voter_status parameter from true to false changed the voter status of the targeted node.

A malicious actor with access to the unauthenticated join API may be able to programmatically change the voter status of each node in a cluster, which may increase the operational risk of the cluster. This modification, in addition to any subsequent node failures, may lead to data loss or catastrophic failure of the high availability cluster, resulting in the cluster being inaccessible.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.9.8, 1.10.5, 1.11.1, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by a third party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.