HCSEC-2023-24 - Vault's LDAP Auth Method Allows for User Enumeration

Bulletin ID: HCSEC-2023-24
Affected Products / Versions: Vault and Vault Enterprise, versions 1.13.0 through 1.14.0 and 1.13.4. Fixed in 1.14.1 and 1.13.5.
Publication Date: July 31, 2023

Summary
The Vault and Vault Enterprise (“Vault”) LDAP auth method allows unauthenticated users to potentially enumerate valid accounts in the configured LDAP system by observing the response error when querying usernames. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5.

Background
The LDAP auth method allows authentication using an existing LDAP server and user/password credentials.

Details
An external party reported that it was possible to enumerate LDAP user accounts through error messages returned when using Vault’s LDAP auth method.

A similar issue regarding user enumeration and LDAP was remediated in December 2020.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.14.1, 1.13.5, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was reported by Jared Johnstone.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.