Bulletin ID: HCSEC-2024-21
Affected Products / Versions:
Vault Community Edition from 0.10.4 up to 1.17.6, fixed in 1.18.0.
Vault Enterprise from 0.10.4 up to 1.17.6, 1.16.10, 1.15.15, fixed in 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
Summary:
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s privileges to Vault’s root policy. This vulnerability, identified as CVE-2024-9180, is fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16.
Background:
Vault’s identity secrets engine can map a single Vault client (“entity”) to multiple authentication methods to manage all Vault clients for authentication and authorization. Write access to Vault’s identity API endpoint allows operators to assign any existing (non-root) policies to entities.
A Vault cluster persists data in a configured storage backend, and can also cache some information, such as identity-related entity information, in local memory to the node.
Vault namespaces are a mechanism for providing tenant isolation and aiding in the long-term management of a Vault instance. Administrative namespaces grant a given namespace access to a pre-defined subset of privileged backend system endpoints in Vault.
Details:
Due to the mishandling of entries in Vault’s in-memory entity cache, a privileged Vault operator could manipulate a cached entity record through the identity API endpoint on a Vault node, potentially escalating an entity’s privileges to Vault’s root policy on this node.
The manipulated entity record was not propagated across the cluster or persisted to the storage backend, and would be cleared on server restarts.
Due to additional validation, the vulnerability does not affect entities in namespaces (including administrative namespaces) but only affects root namespace entities. This issue does not affect HCP Vault Dedicated due to its use of administrative namespaces.
Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.18.0 or Vault Enterprise 1.18.0, 1.17.7, 1.16.11, or 1.15.16. Please refer to Upgrading Vault for general guidance.
Alternatively, Sentinel EGP policies can be used or the default policy can be updated to restrict access to the identity endpoint. If an entity was assigned the root policy, requests in Vault audit logs will contain “root” inside the “identity_policies” array.
Acknowledgement:
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.