HashiCorp's Vault Community Edition (CE) and Vault Enterprise are widely used for securely managing secrets and encrypting data in transit. However, a recent regression has been discovered that led to sensitive headers like client tokens and token accessors being stored in plaintext within the configured audit log. This vulnerability, identified as CVE-2024-8365, affects Vault CE and Vault Enterprise versions before 1.17.5 and 1.16.9. In this in-depth post, we will explore the cause of the regression, essential code snippets, important links to original references, and details on the exploitation of this vulnerability.
Vulnerability Details
Vault uses HMAC (Hash-based Message Authentication Code) to ensure the integrity and authenticity of messages in transit. An oversight in the source code removed the functionality that HMAC'd sensitive headers in the configured audit device, resulting in the plaintext storage of sensitive headers like client tokens and token accessors within the audit log.
This regression poses a serious security risk, as it exposes sensitive information to unauthorized users who may gain access to the audit logs. The plaintext storage of client tokens and token accessors could allow attackers to steal or tamper with secrets, leading to potential data breaches and other security compromises.
Links to original references
1. Official HashiCorp Security Advisory: https://www.hashicorp.com/security
2. Vault Documentation: https://www.vaultproject.io/docs
3. CVE-2024-8365 details: https://nvd.nist.gov/vuln/detail/CVE-2024-8365
Code Snippet
The following code snippet demonstrates the regression that led to the removal of the HMAC function for sensitive headers in the configured audit device:
func (c *Core) logAudit(ctx context.Context, in *logical.LogInput) error {
// ...
// Regression: missing HMAC (Hash-based Message Authentication Code) functionality for sensitive headers
// ...
if err := c.auditBroker.LogRequest(ctx, in, c.auditedHeaders); err != nil {
c.logger.Error("failed to audit request", "request_path", in.Request.Path, "error", err)
return err
}
}
The issue was fixed by reintroducing the HMAC functionality for sensitive headers
func (c *Core) logAudit(ctx context.Context, in *logical.LogInput) error {
// ...
// Fix: reintroduce HMAC functionality for sensitive headers
hmacSensitiveHeaders(in.Request, in.Response, c.auditedHeaders)
// ...
if err := c.auditBroker.LogRequest(ctx, in, c.auditedHeaders); err != nil {
c.logger.Error("failed to audit request", "request_path", in.Request.Path, "error", err)
return err
}
}
func hmacSensitiveHeaders(req *logical.Request, resp *logical.Response, auditedHeaders *AuditedHeadersConfig) {
for _, header := range auditedHeaders.sensitiveHeaders() {
hmacVal, err := req.HMAC(header)
if err == nil {
req.Headers[header] = hmacVal
}
if resp != nil {
hmacVal, err = resp.HMAC(header)
if err == nil {
resp.Headers[header] = hmacVal
}
}
}
}
Exploit Details
Though no known exploits have been publicly documented for CVE-2024-8365, the vulnerability itself poses a significant risk. Attackers who gain access to the audit logs could potentially leverage the plaintext storage of client tokens and token accessors to perform unauthorized actions or access sensitive data.
Recommendations
It is strongly recommended to update Vault CE and Vault Enterprise to versions 1.17.5 and 1.16.9 or later, which contain the fix for this regression. Additionally, organizations should enforce stringent access controls for audit logs to minimize the risk of unauthorized access.
Conclusion
Ensuring the confidentiality and integrity of data in transit is critical to any security solution. The recent CVE-2024-8365 vulnerability affecting Vault Community Edition and Vault Enterprise highlights the importance of regularly updating software and staying informed about newly discovered security flaws. By understanding the causes, implications, and steps to remediate such vulnerabilities, organizations can maintain robust security postures and minimize potential risks to their critical infrastructure.
Timeline
Published on: 09/02/2024 05:15:17 UTC
Last modified on: 09/04/2024 17:18:36 UTC