CVE-2024-5798: Understanding the JSON Web Token Validation Vulnerability in Vault and Vault Enterprise

Vault and Vault Enterprise, the widely-used secret management solutions, are essential tools for securing digital secrets across an organization. However, a recent vulnerability (CVE-2024-5798) impacted the security of these systems, specifically in their validation of JSON Web Tokens (JWTs) when using the JWT auth method.

In this post, we'll dive deep into the details of this vulnerability, explore its potential impact, discuss the code snippets responsible for this issue, and share the steps needed for mitigation. As always, we recommend updating to the latest version of Vault and Vault Enterprise to ensure you're protected from this and other security threats.

The Vulnerability: Vault's JWT Role-Bound Audience Claim Validation

The core of the issue in Vault and Vault Enterprise lies in how they validate the role-bound audience claim in a JWT. The validation process should ensure that the role-bound audience claim must match the JWT's intended audience to grant access. However, the vulnerability allowed potentially unauthorized logins to succeed despite audience mismatch.

Here's an example of a JWT that includes an audience claim

{
  "iss": "https://example.auth.com";,
  "sub": "auth|123456789",
  "aud": "https://vault.example.com";,
  "iat": 1617317181,
  "exp": 1617317781
}

The audience claim (aud) should be checked against the allowed audiences for the role to function correctly. However, the vulnerability bypasses this check, enabling an attacker to log in using an unauthorized JWT.

Attacker crafts a JWT with the following payload

{
  "iss": "https://attacker.example";,
  "sub": "attacker|123456789",
  "aud": "https://vault.example.com";,
  "iat": 1617317181,
  "exp": 1617317781
}

Vault or Vault Enterprise incorrectly validates the audience claim and grants the attacker access.

To exploit the vulnerability, an attacker must have access to a JWT with an incorrect audience claim but a matching role. It's important to note that the attacker would still require knowledge of the role's identifier to exploit this issue.

Resolving the Issue: Vault and Vault Enterprise Patch Releases

HashiCorp, the company behind Vault, has released patches to resolve this vulnerability in the following versions:

Vault Enterprise 1.15.9

Users of Vault and Vault Enterprise should update their software to one of these patched versions as soon as possible.

Original References

- CVE (Common Vulnerabilities and Exposures) Information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5798
- HashiCorp's Vault Changelog: https://github.com/hashicorp/vault/blob/main/CHANGELOG.md

Conclusion

The JSON Web Token role-bound audience claim validation vulnerability (CVE-2024-5798) can have severe ramifications for the security and integrity of a Vault and Vault Enterprise installation. Therefore, impacted users should take all necessary steps to apply patches and secure their systems.

By maintaining constant vigilance and staying up to date with the latest security patches and software releases, you can help protect your organization's secrets and sensitive data against potential exploitation.

Timeline

Published on: 06/12/2024 19:15:51 UTC
Last modified on: 06/13/2024 19:32:53 UTC