Security flaws: Vulnerability in HashiCorp Vault decrypted by exploit

Last August, Hashicorp's Vault, a secure safe solution (a solution to secure tokens, certificates, passwords, encryption keys accessible online, HTTP APIs or user interface) was discovered by two vulnerabilities.

Critical security vulnerabilities (CVE-2020-16250/16251), which today are obviously corrected. However, Google's cybersecurity team, Project Zero, decided to describe how these vulnerabilities could be used. A feat that highlighted the problem of the security of cloud solutions in terms of identity management.

This article will also interest you: A security flaw affecting Visa cards allowing hackers with android-powered smartphones to make contactless payments

"A very good developer may be able to reason on all the security limits, requirements and pitfalls of his own software, but it becomes very difficult once a complex external service comes into play," said Felix Wilhelm, a security researcher at Project Zero.

This is literally one of the worst contingencies for a secure safe to be hit by a security breach. In that context there were two. Even worse. Of course we shouldn't be fooled. Like any computer program or system, there is always a vulnerability somewhere. One can take the example of Last Pass, which has fixed several security flaws affecting its composition. But of course the worst is over since the vulnerabilities have already been fixed.

Google's team of security vulnerability search specialists, a month later decided to take a better approach to the vulnerability and its potential consequences. If these vulnerabilities had fallen into the hands of ill-intentioned people. "Interfacing with Vault requires authentication, and Vault supports role-based access control to govern access to stored secrets," Google's computer security researchers note in a blog post. "For authentication, it supports plug-in authentication methods ranging from static credentials, LDAP or Radius, to full integration into third-party OpenID Connect providers or Cloud Identity Access Management platforms." The vulnerabilities were specifically discovered when using third-party IAM cloud platforms, the one provided by Amazon Web services but also GCP.

"I've written a feat POC that touches on the creation and serialization of JWT. Although the OIDC provider configuration adds some complexity, we end up with a nice authentication bypass for roles arbitrarily activated by AWS. The only requirement is that the attacker know the name of a privileged AWS role in the target Vault server," notes Felix Wilhelm, Project Zero's security researcher. "AWS IAM does not have a simple way to prove the identity of a service to other non-AWS services. Third-party services cannot easily verify pre-signed applications and AWS IAM does not offer any standard primary signatures that could be used to implement certificate-based authentication or JWT. In the end, Hashicorp corrected the vulnerability by applying a HTTP header authorization list, limiting requests to getCallerIdentity action, and more strongly validating the STS response, which is hopefully enough to protect against unexpected changes in the STS implementation or differences in the HTTP analyzer between STS and Golang. »

The Google researcher later clarified, "It's important to note that the AWS account used for this doesn't need to have a relationship with our target."

"We can now use our OIDP to sign a JWT that contains a GetCallerIdentity Arbitrary response If all goes ac[…]cording to plan, STS will reflect the subject of the token as part of its JSON coded response." Note the latter. At the time, the Go XML set-top box will not take into account all the content of the GetCallerIdentityResponse object, Vault will be required to consider this information as a correct STS CallerIdentity response so validate it.

"The final step is to convert this request in the form expected by Vault and send it to the target Vault server as a login request on /v1/auth/aws/identify. Vault de-internalizes the request, sends it to STS and misinterprets the answer. If AWS RNA/UserID GetCallerIdentityResponse has privileges on the Vault server, then it is possible to retrieve a valid session token, which we can use to interact with the Vault server to retrieve secret data." Explains Felix Wilhelm

To conclude, Google's Project Zero researcher says, "Modern IAM cloud solutions are powerful and often more secure than comparable on-site solutions, but they have their own security pitfalls and highly complex implementation. As more and more companies turn to large cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be many similar problems in the coming years."

Now access an unlimited number of passwords: