HCSEC-2023-29 - Vault Enterprise’s Sentinel RGP Policies Allowed For Cross-Namespace Denial of Service

Bulletin ID: HCSEC-2023-29
Affected Products / Versions: Vault Enterprise since 0.11.0; fixed in 1.15.0, 1.14.4, and 1.13.8.
Publication Date: September 28, 2023

Summary
A Vault Enterprise Sentinel Role Governing Policy created by an operator to restrict access to resources in one namespace can be applied to requests outside in another non-descendant namespace, potentially resulting in denial of service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8.

Background
Namespaces are self-managed isolated environments within Vault, isolating data such as secret engines, auth methods, and policies from other namespaces. Namespaces can contain other (child) namespaces, where policies and identities can be shared through the parent/child relationship.

Sentinel in Vault Enterprise augments Vault’s built-in ACL policy system by providing Role Governing Policies (tied to entities or groups) and Endpoint Governing Policies (tied to paths). Sentinel policies are evaluated and enforced by Vault, allowing operators to more granularly define when to grant access to certain resources.

Details
An external party reported that it was possible for a Role Governing Policy (RGP) of one namespace to be used to restrict resources in another, non-child namespace. This issue only affects RGPs. Sentinel Endpoint Governing Policies (EGPs) or Vault’s ACLs are not affected.

Sentinel RGP’s can be set by users authorized to write to the /sys/policies/rgp endpoint. These policies can be used to restrict or deny access to resources, but cannot grant additional access. As a result, this vulnerability is limited to denial of service.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.15.0, 1.14.4, 1.13.8, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by Marc Billow of Indeed who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.