HCSEC-2022-18 - Vault Entity Alias Metadata May Leak Between Aliases With The Same Name Assigned To The Same Entity

Bulletin ID: HCSEC-2022-18
Affected Products / Versions: Vault and Vault Enterprise 1.8.0 through 1.11.2; fixed in 1.11.3, 1.10.6, and 1.9.9.
Publication Date: September 20, 2022

Summary
When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9.

Background
Vault’s identity secrets engine is the identity management solution for Vault. It has the concept of entities which may have aliases for each mount accessor they use.

By default, Vault will generate a unique entity alias name. Some authentication methods (e.g. Kubernetes) may also expose the ability to an operator to change the name that is used for the alias. Vault’s documentation on entity aliases also discourages the use of non-unique names.

There is additional information regarding these entity and alias concepts in Vault’s Identity Secrets Engine documentation, and the Identity: Entities and Groups tutorial.

Details
Within a single entity, the metadata of an entity alias of an auth method (e.g auth method “A”) may be overwritten when executing a login operation for an auth method with the same alias name (e.g. auth method “B”).

For example, if a Vault deployment is using templated ACL policies, and the policy uses alias.Name which is derived from the alias name, when the ACL policy is deployed the identity.entity.aliases.<mount accessor>.name key may be overwritten for a different mount accessor with the same alias name. This may grant access for the first auth method to access the second auth method’s mount accessor, which could lead to unintended access of data.

Entity aliases whose names were created by Vault using the auto-generation feature are unaffected by this bug as this requires a privileged operator to map entity aliases that share names, but have different mounts, to a single entity.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.11.3, 1.10.6, and 1.9.9, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Consider reviewing existing authentication methods to ensure proper functionality and operation, particularly in cases where custom entity aliases have been explicitly set in Vault configuration and duplicate alias names may exist as described above. Also consider the use of Vault’s feature to auto-generate entity alias names to ensure duplicates are not created in future.

Acknowledgement
This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.