HCSEC-2023-31 - Vagrant’s Windows Installer Allowed Directory Junction Write

Bulletin ID: HCSEC-2023-31
Affected Products / Versions: Vagrant’s Windows installer; fixed in Vagrant 2.4.0.
Publication Date: October 27, 2023

The Vagrant Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. This vulnerability, CVE-2023-5834, was fixed in Vagrant 2.4.0.

Vagrant is distributed in a range of platform-specific formats, available from Vagrant downloads.

For the Windows platform, the format used is Windows Installer (MSI).

It was reported that the Vagrant Windows installer’s usage of a custom location with a non-protected path exposed the target system to unauthorized file system write, via usage of a directory junction. The impact of this is system-dependent, but in some cases may include privilege escalation.

This was addressed in Vagrant 2.4.0, by moving the Windows install location to the system-protected Program Files directory.

Customers using the Vagrant Windows installer should consider moving to the 2.4.0 release or newer. Please refer to Upgrading Vagrant for general guidance and upgrade notes.

This issue was identified by the Lockheed Martin Red Team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.