CVE-2023-3775: Vault Enterprise Sentinel Role Governing Policy Flaw Allows Cross-Namespace DoS Attack

The Common Vulnerabilities and Exposures (CVE) project has recently added a new entry identified as CVE-2023-3775, which affects the Vault Enterprise's Sentinel Role Governing Policy (RGP). This particular vulnerability was identified in Vault Enterprise versions 1.15., 1.14.4, and 1.13.8, and it has since been fixed in the latest software updates.

A recent audit of the Vault Enterprise software discovered a flaw in its Sentinel RGP feature, as it was susceptible to a cross-namespace denial-of-service (DoS) attack. This post delves into the details of the vulnerability, including its cause, the affected systems, and the recommended mitigation strategies.

Vulnerability Details

The Vault Enterprise Sentinel RGP was designed to allow operators to define and enforce access policies across separate namespaces (logical partitions of the Vault system). However, a flaw was identified in this feature when an operator restricts access to resources in one specific namespace. The RGP can be wrongly applied to requests outside that namespace, even in a non-descendant namespace. This means that these cross-namespace requests inadvertently get denied, potentially resulting in a denial-of-service (DoS) condition.

Here's a simplified code snippet demonstrating the potential flaw

Sentinel RGP:
main = rule {
  access_rule = match {
    default "deny";
    pattern "namespace1/*" { value "allow" };
    pattern "namespace1/*" { operator.isAdmin() };
  }
}

The faulty request:
- Resource: "namespace2/secret_key"
- Actor: "namespace1/user"

In the above example, the Sentinel RGP policy is created to restrict access to resources under the "namespace1" namespace. However, when the "namespace1/user" makes a request to a resource in "namespace2/secret_key," the request is also denied due to the incorrect application of the RGP policy across namespaces.

Original References

1. CVE-2023-3775
2. Vault Enterprise Release Notes
3. Vault Enterprise Sentinel Documentation
4. Bulk Scheduler issue #9036

Exploit Details

At present, there are no known active exploits targeting this specific vulnerability in the Vault Enterprise system. However, users should be aware of the potential implications should a malicious actor gain access to the vulnerable systems and exploit this flaw. A carefully crafted attack on the affected system can lead to a denial-of-service condition that can have severe consequences for the targeted organization.

Mitigation Strategies

The developers at HashiCorp have fixed this vulnerability in the latest Vault Enterprise versions, specifically 1.15., 1.14.4, and 1.13.8. Users are strongly advised to update their software as soon as possible to mitigate the risk associated with this flaw.

Additionally, operators should review their Sentinel RGP policies to ensure only the intended namespaces are targeted by the rules and that unintended requests are not denied.

Conclusion

CVE-2023-3775 represents a significant vulnerability in the Vault Enterprise software that could have serious consequences if exploited by an attacker. Users are urged to update their systems to the latest version to mitigate the risk and review their Sentinel RGP policies.

Timeline

Published on: 09/29/2023 00:15:00 UTC
Last modified on: 10/02/2023 20:04:00 UTC