Bulletin ID: HCSEC-2024-20
Affected Products / Versions: Vault Community Edition from 1.7.7 up to 1.17.5, fixed in 1.17.6.
Vault Enterprise from 1.7.7 up to 1.17.5, 1.16.9, 1.15.14, fixed in 1.17.6, 1.16.10, and 1.15.15.
Publication Date: September 26, 2024
Summary
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. This vulnerability, CVE-2024-7594, was fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.
Background
Vault’s SSH secrets engine can be used to manage access to infrastructure using SSH. The SSH secrets engine can also sign SSH certificates to manage access to infrastructure at scale using the certificate authority capabilities built into Vault.
Details
The valid_principals field is used by the SSH server to validate the certificate that is generated by Vault. In the context of SSH certificate validation, “valid principals” can be a string containing zero or more principals. When set to an empty string or zero principals, the certificate is valid for any principal of the specified type. Vault now provides an allow_empty_principals configuration for the SSH secrets engine, defaulting to false, to ensure a safe default and help preserve backward compatibility.
Remediation
Customers should evaluate the risk associated with this issue, and consider setting the SSH secrets engine valid_principals field to a non-empty value, or upgrading to Vault Community Edition 1.17.6 or Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.
Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Jörn Heissler who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.