HCSEC-2024-05 - Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates

Bulletin ID: HCSEC-2024-05
Affected Products / Versions: Vault and Vault Enterprise up to 1.15.4, 1.14.9; fixed in 1.15.5 and 1.14.10.
Publication Date: March 4, 2024

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. This vulnerability, CVE-2024-2048, is fixed in Vault 1.15.5 and 1.14.10.

Vault offers a wide range of auth methods for authentication, including TLS client certificates. Vault’s TLS auth method supports trusted certificates signed by certificate authorities as well as non-CA signed certificates.

Vault relies on Golang’s TLS libraries to validate client certificates, in combination with further checks in Vault’s code. It was discovered that in the case of non-CA signed trusted certificates, Vault insufficiently validated this certificate. As a result, this attacker could use a maliciously crafted certificate to bypass authentication, should the attacker have out-of-band access to information about this public trusted certificate.

Customers using the TLS auth method with a non-CA certificate as a trusted certificate in their Vault installation should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.15.5, 1.14.10, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by Nathanial “d0nut” Lattimer who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.