CVE-2024-6468 - Denial of Service Vulnerability in Vault and Vault Enterprise

A recently discovered critical vulnerability, CVE-2024-6468, affects Vault and Vault Enterprise, potentially leading to a denial of service (DoS) attack. This blog post will provide an in-depth analysis of this vulnerability, the affected versions, possible exploit scenarios, and remediation steps. We will also share code snippets and links to original references for further information.

Vulnerability Details

Vault and Vault Enterprise, widely-used tools for securely managing secrets, have been found vulnerable to a specific attack scenario originating from unauthorized IP addresses. Specifically, when the TCP listener option, proxy_protocol_behavior, is set to deny_unauthorized, Vault's API server can be unintentionally shut down, leading to a Denial of Service. This can happen when a request comes from an IP address that is not listed in the proxy_protocol_authorized_addrs configuration.

Although this bug also affected earlier versions of Vault up to 1.17.1 and 1.16.5, those versions did not allow Vault operators to configure the deny_unauthorized option, which means the condition required for the denial of service would not occur.

Exploit Scenario

An attacker can exploit this vulnerability by sending a crafted request to the Vault API server from an unauthorized IP address. In this scenario, if the proxy_protocol_behavior is set to deny_unauthorized, the server will shut down, rendering it unresponsive to any subsequent requests.

Here is a simple Python code snippet that demonstrates how to send a request to the vulnerable Vault API server:

import requests

vault_api_url = 'http://vault.example.com:820/v1/sys/health';

response = requests.get(vault_api_url)

if response.status_code == 200:
    print("Vault API server is alive.")
else:
    print("Vault API server is not responding.")

Remediation

To mitigate this vulnerability, it is strongly recommended to upgrade to one of the fixed Vault and Vault Enterprise versions as mentioned earlier: 1.17.2, 1.16.6, or 1.15.12.

Original References

For more in-depth information about this vulnerability and its mitigation, please refer to the following links:

1. Vault Changelog
2. Vault Documentation: Proxy Protocol listener

Conclusion

CVE-2024-6468 is a critical vulnerability affecting Vault and Vault Enterprise, potentially causing denial of service attacks. Vault operators should upgrade their installations to the latest fixed versions as soon as possible to protect their systems from potential exploits.

Timeline

Published on: 07/11/2024 21:15:12 UTC
Last modified on: 07/12/2024 14:16:55 UTC