HCSEC-2023-30 - Vault’s Google Cloud Secrets Engine Removed Existing IAM Conditions When Creating / Updating Rolesets

Bulletin ID: HCSEC-2023-30
Affected Products / Versions: Vault and Vault Enterprise since 0.10; fixed in 1.13.0.
Publication Date: September 28, 2023

Summary
The Vault and Vault Enterprise (“Vault”) Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. This vulnerability, CVE-2023-5077, was fixed in Vault 1.13.0.

For this retroactive bulletin, the Vault 1.13 fix for this issue has already been inherited by Vault 1.14 and 1.15 releases.

Background
The Google Cloud secrets engine allows Vault to provision dynamic IAM credentials for accessing Google Cloud environments.

Google Cloud IAM Conditions allow an operator to define conditions to grant access to resources.

A roleset consists of a Vault managed Google Cloud service account along with a set of IAM bindings, possibly including IAM conditions, defined for that service account.

Details
It was discovered that when creating or updating a roleset, Vault did not copy existing conditions to the newly-created IAM policy binding object, resulting in existing IAM conditions no longer being enforced for that roleset.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.13.0, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by a third party who reported it and provided a fix to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.