CVE-2021-42135 : What You Need to Know
Learn about CVE-2021-42135 affecting HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4, allowing users more privileges than intended. Mitigation and prevention steps included.
HashiCorp Vault and Vault Enterprise 1.8.x through 1.8.4 may have an unexpected interaction between glob-related policies and the Google Cloud secrets engine, potentially granting users more privileges than intended.
Understanding CVE-2021-42135
What is CVE-2021-42135?
HashiCorp Vault and Vault Enterprise versions 1.8.x through 1.8.4 are susceptible to misconfigurations that could result in users having elevated privileges, allowing them more access than originally specified.
The Impact of CVE-2021-42135
The vulnerability may lead to scenarios where users with read permissions for specific paths can exceed their intended access levels, potentially resulting in unauthorized issuance of Google Cloud service account credentials.
Technical Details of CVE-2021-42135
Vulnerability Description
The issue arises from an unexpected interaction between glob-related policies and the Google Cloud secrets engine within HashiCorp Vault 1.8.x through 1.8.4.
Affected Systems and Versions
- Systems: HashiCorp Vault and Vault Enterprise
- Versions: 1.8.x through 1.8.4
Exploitation Mechanism
The vulnerability allows users with read permissions for certain paths to manipulate the Google Cloud secrets engine, enabling them to issue service account credentials.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to a patched version (post 1.8.4) to mitigate the vulnerability.
- Review and adjust access permissions to ensure users have the correct level of privileges.
Long-Term Security Practices
- Regularly audit and monitor access and permissions within HashiCorp Vault.
- Educate users on best practices for managing secrets and privileges.
Patching and Updates
Apply all security patches and updates provided by HashiCorp to ensure protection against known vulnerabilities.