HCSEC-2023-11 - Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata

Bulletin ID: HCSEC-2023-11
Affected Products / Versions: Vault and Vault Enterprise since 1.11.0; fixed in 1.13.1, 1.12.5, and 1.11.9.
Publication Date: March 29, 2023

Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Vault’s PKI engine allows users to generate dynamic X.509 certificates, without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault’s built-in authentication and authorization mechanisms provide the verification functionality. More information about the PKI secrets engine can be found in https://developer.hashicorp.com/vault/docs/secrets/pki.

Vault 1.11.0 introduced the ability to share a PKI mount with several issuers (Certificate Authorities) on a single mount, to provide users with more management flexibility. More information is available in https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine#notice-about-multi-issuer-functionality.

During internal testing, we discovered that several unauthenticated endpoints did not correctly authorize inbound requests and allowed for modification or deletion of certain metadata fields. An attacker may have been able to modify or delete some authority information fields for existing issuers, including crl_distribution_points and oscp_server, potentially resulting in denial of service for a given PKI mount.

This issue affects a subset of issuer endpoints (<pki-mount>/issuer/:ref/{json,der,pem}). The primary <pki-mount>/issuer/:ref endpoint is not affected by this bug and remains properly authenticated.

Any issuer CA certificates which were deleted may be safely re-imported as the integrity and availability of all key material and certificates are unaffected, and this only affects metadata associated with the certificate and managed by Vault.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.13.1, 1.12.5, and 1.11.9, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

The Vault team maintains documentation and best practices around the use of the PKI secrets engine in https://developer.hashicorp.com/vault/docs/secrets/pki/considerations.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.