HCSEC-2023-28 - Vault’s Transit Secrets Engine Allowed Nonce Specified without Convergent Encryption

Bulletin ID: HCSEC-2023-28
Affected Products / Versions: Vault and Vault Enterprise since 1.6.0; fixed in 1.14.3, 1.13.7, and 1.12.11.
Publication Date: September 14, 2023

Summary
The Vault and Vault Enterprise (“Vault”) transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using the transit secrets engine without convergent encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11.

Background
Vault’s transit secrets engine provides the ability to perform encryption and decryption operations of user-specified data using a key managed by Vault.

Convergent encryption is a feature in the transit secrets engine that returns deterministic ciphertext provided identical plaintexts and contexts.

As documented, version 1 of convergent encryption required the client to provide their own nonce and this feature was preserved for backwards compatibility. Version 3 of convergent encryption derives nonces from plaintext and is resistant to nonce reuse. Non-convergent symmetric encryption modes of transit encryption use AES-GCM or ChaCha20-Poly1305.

The transit secrets engine provides encryption capability via its encrypt endpoint.

Details
An external party reported that Vault did not restrict the use of user-provided nonces when performing encryption operations on the transit secrets engine when convergent encryption is not enabled.

An authenticated Vault user authorized by Vault policies to encrypt transit data may be able to decrypt arbitrary ciphertext by performing encryption operations using known plaintexts and nonces.

Furthermore, for non-convergent modes using AES-GCM, an authenticated Vault user authorized by Vault policies to encrypt data may be able to derive the authentication subkey used to authenticate the ciphertext due to flaws in AES GCM.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.14.3, 1.13.7, 1.12.11, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Information about transit key rotation can be found in the transit secrets engine documentation.

Acknowledgement
This issue was identified by Rob Zimmerman and Sze Chuen Tan of Cloudflare who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.