Summary: HashiCorp has issued a critical security advisory regarding a vulnerability (CVE-2024-7594) in its Vault secrets management tool, which could allow attackers unrestricted SSH access to systems. This flaw affects multiple versions of both Vault Community and Enterprise Editions, posing significant risks to data security and infrastructure control.
Threat Actor: Unknown | unknown
Victim: HashiCorp | HashiCorp
Key Point :
- The vulnerability allows attackers to bypass security controls and gain SSH access to any user on a targeted system.
- HashiCorp has released patched versions of Vault and introduced a new configuration option to enhance security.
- Users are advised to upgrade or adjust their configurations to prevent exploitation of this vulnerability.
HashiCorp, a leading provider of infrastructure automation software, has issued a critical security advisory concerning a vulnerability in its popular secrets management tool, Vault. The flaw, designated as CVE-2024-7594 and assigned a CVSS score of 7.7, affects both Vault Community Edition and Vault Enterprise versions ranging from 1.7.7 to 1.17.5. The vulnerability, if exploited, could grant attackers unrestricted SSH access to systems, potentially leading to data breaches, service disruptions, and unauthorized control over critical infrastructure.
The Problem: Unrestricted SSH Certificates
The core of the issue lies within Vault’s SSH secrets engine, a feature designed to streamline the management of SSH access to various systems. Unfortunately, a configuration oversight allowed the valid_principals list, a crucial security measure that restricts the users an SSH certificate can authenticate as, to remain unenforced by default. This oversight created a dangerous loophole, enabling attackers to acquire SSH certificates that granted them access to any user on a targeted system, effectively bypassing the intended security controls.
The Fix: Updated Vault Versions and Configuration
HashiCorp has addressed this vulnerability in Vault Community Edition 1.17.6 and Vault Enterprise 1.17.6, 1.16.10, and 1.15.15. Additionally, a new configuration option, allow_empty_principals, has been introduced to provide more control over this behavior.
HashiCorp extends its gratitude to Jörn Heissler for responsibly disclosing the CVE-2024-7594 vulnerability.
Action Required: Upgrade or Configure
Vault users are strongly encouraged to either upgrade to the patched versions or ensure that their SSH secrets engine configurations include non-empty valid_principals lists. This will prevent attackers from exploiting this vulnerability and gaining unauthorized access to sensitive systems.