Bulletin ID: HCSEC-2023-12
Affected Products / Versions: Vault up to 1.13.0, 1.12.4, and 1.11.8; fixed in 1.13.1, 1.12.5, 1.11.9.
Publication Date: March 29, 2023
Summary
When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9.
Background
Vault allows for the configuration of various storage backends. Storage backends act as a place for durable storage during Vault operations. Vault supports internal (e.g., Integrated Storage) as well as external storage backends (e.g., Consul, MSSQL, and others. Configuration is set using the storage stanza within Vault’s configuration file.
Details
When configuring MSSQL as a storage backend, a number of parameters are required to establish a connection to the target database, such as username, password, schema, database, and table.
When establishing a connection between Vault and the database server, Vault passes these parameters set in Vault’s configuration directly to the database. Vault considers these values to be trusted and does not sanitize the values for schema, database, and table, resulting in a malicious user being able to include malicious SQL code that will execute when the Vault configuration is applied.
It is important to note that only highly privileged users or administrators can apply Vault configurations. An attacker would also require access to the configuration file or know the username and password to the target database, in which case an attacker may be able to execute SQL commands through reading the configuration.
Remediation
Customers who use the MSSQL storage backend should evaluate the risk associated with this issue and consider upgrading to Vault 1.13.1, 1.12.5, and 1.11.9, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
As noted in a recent clarification to the Vault security model, Vault operators should ensure that Vault configuration files and storage backends are appropriately secured, as described in Vault’s production hardening guidelines.
Furthermore, we generally recommend the usage of HashiCorp-supported and highly-available storage backends such as integrated storage or Consul for production use.
Acknowledgement
This issue was identified by Yuval Ostrovsky, Gal Goldshtein, and Daniel Abeles of Oxeye.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.