HCSEC-2022-17 - Boundary Allowed Access To Host Sets And Credential Sources For Authorized Users Of Another Scope

Bulletin ID: HCSEC-2022-17
Affected Products / Versions: Boundary up to 0.10.1; fixed in 0.10.2.
Publication Date: August 23, 2022

Summary
HashiCorp Boundary versions up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated with the correct scopes, allowing potential privilege escalation for authorized users of another scope. This vulnerability, CVE-2022-36130, is fixed in Boundary 0.10.2.

Background
A Scope is a permission boundary modeled as a container. The permission model is an allow-only, RBAC model that defines access between resources. Three types of scopes exist:

  • Global scope, which exists by default.
  • Organization scope, which is contained in the Global scope and contains users, groups, auth methods, roles, and projects.
  • Project scope, which is contained by the Organization scope and contains roles, targets, host catalogs, and credential stores.

Details
During internal testing, it was discovered that both Boundary host sets and credential sources would allow unintended linking across projects, provided an authorized operator of a given scope has knowledge of a machine-generated alphanumeric identifier of a host set or credential source belonging to another project scope.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Boundary 0.10.2, or newer. Please refer to Upgrading Boundary for general guidance and version-specific upgrade notes.

Boundary 0.10.2 will now provide operators:

  1. Database migrations that will detect any targets with cross-project associations of targets to host sets or credential sources.
  2. A command line tool to delete any existing cross-project associations. No targets, host sets, or credential sources will be deleted as part of this process.

Acknowledgement
This issue was identified by the Boundary engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.