HCSEC-2024-28 - Boundary Controller Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service

mark.collao · December 12, 2024, 10:38pm

Bulletin ID: HCSEC-2024-28
Affected Products / Versions: Boundary Community Edition and Boundary Enterprise 0.8.0 up to 0.18.1; fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.
Publication Date: December 12, 2024

Summary
Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handles HTTP requests during the initialization of the Boundary controller, potentially causing the Boundary server to terminate prematurely or allow an attacker to perform a denial of service attack. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which typically lasts for milliseconds during the Boundary startup process.

This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, and 0.18.2.

Background
Boundary consists of two server components, workers and controllers. Workers perform session handling while the controller serves the API and coordinates session requests. The controller, along with handling API requests, is responsible for authentication, authorization, policy enforcement, and logging and auditing of actions within Boundary.

Details
During the initialization of the Boundary controller, functionalities such as logging are gated or paused while Boundary finishes initializing. Once the Boundary controller is ready for operation, Boundary allows these functions to continue. Due to an internal error on how requests are handled, HTTP requests that should normally be dropped during initialization are returned to the Boundary server as an error, causing the server to terminate.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Boundary 0.16.4, 0.17.3, 0.18.2, or newer. Please refer to Upgrading Boundary for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by the Boundary Engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.

Topic		Replies	Views
HCSEC-2021-34 - Vault, Consul, Boundary, and Waypoint Affected By Denial of Service in Golang’s net/http (CVE-2021-44716) Security security-consul , security-vault , security-boundary , security-waypoint	0	5086	December 22, 2021
HCSEC-2023-32 - Vault, Consul, and Boundary Affected By HTTP/2 “Rapid Reset” Denial of Service Vulnerability (CVE-2023-44487) Security security-consul , security-vault , security-boundary	0	13128	November 2, 2023
HCSEC-2023-02 - Vault, Consul, Boundary, and Waypoint Affected By Denial of Service in Go’s net/http (CVE-2022-41717) Security security-consul , security-vault , security-boundary , security-waypoint	0	5298	February 8, 2023
HCSEC-2024-02 - Boundary Vulnerable to Session Hijacking Through TLS Certificate Tampering Security security-boundary	0	5747	February 5, 2024
Boundary Production setup questions Boundary	2	958	June 17, 2022

HCSEC-2024-28 - Boundary Controller Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service

Related topics