Bulletin ID: HCSEC-2024-14
Affected Products / Versions: Vault and Vault Enterprise, versions 1.10.0 through 1.15.11; fixed in 1.17.2, 1.16.6, and 1.15.12.
Publication Date: July 11, 2024
Summary
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.
This vulnerability, CVE-2024-6468, was fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.
Background
The proxy_protocol_behavior option in the TCP listener stanza , when specified, enables a PROXY protocol behavior for the listener. When proxy_protocol_behavior is set to allow_authorized or deny_authorized, the proxy_protocol_authorized_addrs option needs to be set to more than one IP address.
More information on the TCP listener options can be found at TCP - Listeners - Configuration | Vault | HashiCorp Developer
Details
A bug existed in how the Vault API handled requests from unauthorized IP addresses when proxy_protocol_behavior was set to deny_unauthorized , which blocks requests from reaching the Vault API. Instead of dropping the denied request and continuing on to serve other requests, the Vault API would return an unhandled error, causing the Vault API service to quit and no longer respond to requests.
Remediation
Customers using the proxy_protocol_behavior with the deny_unauthorized option in the TCP listener should evaluate the risk associated with this issue and consider upgrading to Vault 1.17.2, 1.16.6, 1.15.12 or to consider not using the proxy_protocol_behavior entirely. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.