HCSEC-2023-07 - Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation

Bulletin ID: HCSEC-2023-07
Affected Products / Versions: Vault and Vault Enterprise up to 1.12.3; fixed in 1.13.0, 1.12.4, 1.11.8, and 1.10.11.
Publication Date: March 10, 2023

Summary
When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above.

Background
The approle auth method allows machines or apps to authenticate with role-based, Vault-defined roles. approles enables applications and other services to authenticate to Vault without the need of hardcoded credentials. An approle consists of a role ID, secret ID, and may include a token ID accessor and a secret ID accessor, which help manage the role ID and secret ID without directly referencing the actual token.

Details
When Vault is configured to use the approle auth method, approles can be managed via the Vault API. These include CRUDL operations on the approle, but require certain permissions to be set via a path policy for a normal user or user with administrator access to perform any operation on it.

Users can destroy an approle’s secret ID by querying the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint. Secret ID acessors belong to the Role a user has access to. When executing this command, Vault fails to verify if the Secret ID accessor provided belongs to the role. This creates the possibility of an authenticated user being able to specify valid secret ID accessors that do not belong to their role or path permissions. This will result in the affected approles not being able to authenticate to Vault.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.13.0, 1.12.4, 1.11.8, 1.10.11, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by a HashiCorp customer who reported it through support channels.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.