Bulletin ID: HCSEC-2023-10
Affected Products / Versions: Vault and Vault Enterprise up to 1.13.0, 1.12.4, and 1.11.8; fixed in 1.13.1, 1.12.5, 1.11.9.
Publication Date: March 29, 2023
Summary
HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9.
Background
One component of Vault’s security model is the concept and implementation of sealed and unsealed states. By default, unseal keys use Shamir’s Secret Sharing to split the key into shares instead of distributing the unseal key as a single key. A certain threshold of shares is required to reconstruct the unseal key, which is then used to decrypt the root key.
Details
Vault’s Shamir implementation uses Go’s crypto/subtle package and constant time functions to help prevent timing attacks. Within these functions, mult and div, are two operations used to compute the difference between two precomputed Galois Field log tables. The CPU will load these tables into its cache so that concurrent lookups will not have to read from memory. The way these lookup tables are loaded into the cache leads to cache-timing leaks.
By performing a cache-timing attack, an attacker may, through a side channel, be able to monitor the cache as it empties and reloads. Observations of a large amount of seal operations may reduce the search space of a brute force effort to recover the Shamir shares, which if successful, result in retrieval of sensitive data, such as the unseal or root key.
It is unclear how practical such an attack is, but the mult and div functions used in Vault’s Shamir implementation have been modified to remove table lookups and negate this attack.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.13.1, 1.12.5, 1.11.9, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by Giuseppe Cocomazzi.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.