Bulletin ID: HCSEC-2024-01
Affected Products / Versions: Vault and Vault Enterprise 1.15.0 through 1.15.4; fixed in 1.15.5.
Publication Date: January 31, 2024
Summary
Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the log_raw option, which may log sensitive information to other audit devices, regardless of whether they are configured to use log_raw. This vulnerability, CVE-2024-0831, was introduced in Vault 1.15.0 and is fixed in Vault 1.15.5.
Background
Audit devices are the components in Vault that collectively keep a detailed log of all requests to Vault, and their responses. Logs entries that are considered sensitive, such as passwords, are hashed with a salt using HMAC-SHA256. An option exists in Vault, log_raw, that logs the sensitive information without hashing, in its raw format.
More information on audit devices can be found at https://developer.hashicorp.com/vault/docs/audit.
Details
When log_raw is enabled by setting it to true for an individual audit device, it should only apply to that single specified device. However, in the affected Vault versions, when log_raw is set to true it does not only apply to the targeted audit device, but rather is set globally for all audit devices configured in the Vault deployment.
This may result in sensitive data included in the logs to be exposed in clear text to audit devices that were not intended to receive the unhashed logs.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.15.5, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes. Customers may also refer to the known issue entry.
If this feature has been enabled on a vulnerable version of Vault, customers should also evaluate their audit log devices for sensitive data that may have been captured and consider appropriate actions such as rotation or revocation if necessary.
Acknowledgement
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.