HCSEC-2023-03 - Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured

Bulletin ID: HCSEC-2023-03
Affected Products / Versions: Boundary 0.10.0 up to 0.11.2; fixed in 0.12.0.
Publication Date: February 8, 2023

A vulnerability in Boundary was identified such that when a Key Management Service (KMS) was defined in Boundary’s configuration file with the intent of using the KMS to encrypt the credentials stored on disk, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This vulnerability, CVE-2023-0690, was fixed in Boundary 0.12.0.

Boundary has support for various KMS to ensure secure end-to-end behavior of the system. When running a Boundary worker using the PKI-based method for authentication, an optional KMS configuration can be defined in the configuration file. The configurations enabled Boundary to encrypt the files at rest and automatically rotate those credentials on a periodic basis.

A bug was identified in configurations where the operator is using the PKI-based worker authentication and has defined a KMS for “worker-auth-storage”. When a credential is rotated, the new credentials were not encrypted via the intended KMS. In most instances, this would result in plaintext credentials being stored on disk, although in some cases this could result in the credentials being encrypted with the wrong KMS, which would render them useless for any operation.

Customers should evaluate the risk associated with this issue and consider upgrading to Boundary 0.12.0, or newer. Once updated, customers should perform one of the following actions:

  • Wait for next worker authentication rotation to occur, typically within one week, at which point the new credentials should be properly encrypted.
  • Delete the worker from the system and re-authorize it, forcing the worker to generate a new set of credentials immediately, which will be encrypted.

Please refer to the Upgrade and Database Migration documentation on how to upgrade Boundary.

This issue was identified by the Boundary engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.