HCSEC-2024-07 - Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses

Bulletin ID: HCSEC-2024-07
Affected Products / Versions: Vault and Vault Enterprise from 1.14.0 up to 1.15.6, 1.14.10; fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.
Publication Date: April 4, 2024

Summary
Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7, and 1.14.11.

Background
Vault offers a wide range of auth methods for authentication, including TLS client certificates. Vault’s TLS certificate auth method supports multiple revocation checking methods, one of which is OCSP, used to check the validity of client certificates to authenticate to Vault.

Details
A bug was introduced in the OCSP response handling logic of Vault’s TLS certificate authentication method that resulted in signatures and responses from multiple servers not being handled properly. A malicious actor with privileged network access may have been able to successfully authenticate via Vault’s TLS certificate authentication method with incorrect certificate status information.

Remediation
Customers using the TLS auth method with an OCSP server configured in their Vault installation should evaluate the risk associated with this issue and consider upgrading to Vault 1.16.0 or newer, or Vault Enterprise 1.16.1, 1.15.7, 1.14.11, or newer.

Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.