HCSEC-2023-14 - Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-Based Encryption Mechanism with a HSM

Bulletin ID: HCSEC-2023-14
Affected Products / Versions: Vault Enterprise 1.13.0 up to 1.13.1; fixed in 1.13.2.
Publication Date: May 1, 2023

A vulnerability was identified for specific Vault Enterprise (“Vault”) HSM integration configurations in which a padding oracle attack may be possible, due to Vault not properly applying an HMAC to messages sent from the HSM when using a CBC-based encryption mechanism. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify ciphertext in order to derive Vault’s root key.

This issue only affects Vault’s root key wrapping functionality with an HSM, and does not affect other aspects of Vault’s security model. No other HSM functionality was affected due to Vault’s defense-in-depth protection around message tampering. Compromise of the root key is not sufficient for compromising other Vault storage unless the HSM is compromised.

This vulnerability, CVE-2023-2197, affects Vault from 1.13.0 up to 1.13.1 and was fixed in 1.13.2

Vault’s HSM support is available for devices that support PKCS#11 interfaces and provide integration libraries. Vault integrates with the HSM to provide the following functionality:

  • Root Key Wrapping
  • Automatic Unsealing
  • Seal Wrapping
  • Entropy Augmentation

More information on HSM support can be found on the Vault Enterprise HSM page.

When configuring an HSM in Vault, there are several encryption mechanisms to choose from as part of Vault’s configuration. This issue only affects configurations which utilize CBC-based encryption (CKM_AES_CBC_PAD - the default, if not explicitly configured - or CKM_AES_CBC).

If an attacker were able to successfully derive the root key using a padding oracle attack, the barrier keyring is still encrypted by the HSM. An attack would need to be able to access the HSM directly in order to fully decrypt the barrier keyring and thus decrypt Vault storage.

For other functionalities of HSM usage in Vault, software-backed encryption protections within Vault will detect any ciphertext tampering or manipulation and would result in not decrypting or completing the action (i.e. accessing storage, accessing a plugin, reading the barrier keyring).

Operators of Vault Enterprise deployments which utilize the HSM functionality with either the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms should assess risk / exposure as described, and consider upgrading to the latest version of Vault Enterprise, 1.13.2.

After upgrading, Vault should be rekeyed with vault operator rekey -init used to generate a new set of unseal keys. More information on the rekey command can be found at https://developer.hashicorp.com/vault/docs/commands/operator/rekey.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.