HTTP verbs TRACK|TRACE and Vault

alasgarov · January 24, 2021, 10:33pm

Hello there!

In our org. we’ve got a Vault 1.5.3 deployed by a helm chart:

apiVersion: v2
name: vault
version: 0.5.0

running on the openshift (redhat flavor of kubernetes) cluster.

I’ve a task to address possible vulnerability issues, in particular TRACK or TRACE http verbs usage against Vault.

e.g. if I execute
curl -v -X TRACE https://vault.**MyVaultAddress*/ui/vault/secrets

Among the longer output I’m also getting this:

< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store
< Content-Length: 4860
< Content-Security-Policy: default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline' 'self'; form-action 'none'; frame-ancestors 'none'
< Content-Type: text/html; charset=utf-8
< Last-Modified: Tue, 19 Jan 2021 08:27:03 GMT
< Service-Worker-Allowed: /
< Vary: Accept-Encoding

and etc…

If I run the same command against google website for example curl -v -X TRACE www.google.com I’m getting:

> TRACE / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Content-Type: text/html; charset=UTF-8
< Referrer-Policy: no-referrer

Does anyone know where (if at all) can these settings be controlled for Vault?

Digging in the helm chart cannot see anything relevant, just the TLS settings (which are enabled in our case).

Thanks in advance!
Eldar.

alasgarov · January 25, 2021, 4:45pm

Hi guys,

I’ve raised a support ticket to Hashicorp and got this answer:

I’m not aware of such functionality in Vault, that can be used to limit the HTTP verbs and set their return HTTP codes.

I’m not sure how google.com returns the 405 Method Not Allowed when the TRACE verb is used, but I believe that the same effect can be achieved by placing a proxy, for example, NGINX in front of the Vault server to limit the HTTP verbs to the ones you would like to be accessible.