HashiCorp, a leading provider of cloud infrastructure automation software, has disclosed a critical security vulnerability in its Vault secret management platform.
The flaw, identified as CVE-2024-9180, could allow privileged attackers to escalate their privileges to the highly sensitive root policy, potentially compromising the entire Vault instance.
The vulnerability affects Vault Community Edition versions 1.7.7 to 1.17.6 and Vault Enterprise versions 1.7.7 to 1.17.6, 1.16.10, and 1.15.15. HashiCorp has assigned a CVSSv3 score of 7.2 to this high-severity issue, indicating a significant potential impact.
According to the security bulletin, the vulnerability stems from the mishandling of entries in Vault’s in-memory entity cache.
A malicious actor with write permissions to the root namespace’s identity endpoint could manipulate their cached entity record through the identity API, potentially escalating their privileges to Vault’s root policy on the affected node.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
While the impact is somewhat limited due to the manipulated entity record not being propagated across the cluster or persisted to the storage backend, the potential consequences of exploitation are severe.
An attacker successfully exploiting this flaw could gain complete control over the Vault instance, potentially compromising sensitive data and disrupting critical operations.
It’s important to note that the vulnerability only affects entities in the root namespace and does not impact those within standard or administrative namespaces. Additionally, HCP Vault Dedicated is unaffected due to its reliance on administrative namespaces.
HashiCorp has released patched versions to address this vulnerability. Vault Community Edition users should upgrade to version 1.18.0, while Vault Enterprise users should update to version 1.18.0, 1.17.7, 1.16.11, or 1.15.16, depending on their current version.
For organizations unable to immediately upgrade, HashiCorp suggests implementing alternative mitigation strategies. These include using Sentinel EGP policies or modifying the default policy to restrict access to the identity endpoint.
Additionally, monitoring Vault audit logs for entries containing “root” within the “identity_policy” array can help detect potential exploitation attempts.
The discovery of this vulnerability underscores the importance of regular security audits and prompt patching in critical infrastructure components. Organizations using HashiCorp Vault are strongly advised to assess their risk exposure and take appropriate action to secure their environments.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar