CVE-2023-0690 : What You Need to Know
Learn about CVE-2023-0690 impacting HashiCorp Boundary versions 0.10.0 through 0.11.2. Upgrade to version 0.12.0 to fix this plaintext storage issue.
This CVE involves a vulnerability in HashiCorp Boundary versions 0.10.0 through 0.11.2 where new credentials created after an automatic rotation may not have been encrypted via the intended Key Management Service (KMS), resulting in storing credentials in plaintext even when a KMS is configured. Users are advised to upgrade to version 0.12.0 to mitigate this issue.
Understanding CVE-2023-0690
This section delves into the specifics of CVE-2023-0690 in HashiCorp Boundary.
What is CVE-2023-0690?
CVE-2023-0690 pertains to HashiCorp Boundary versions 0.10.0 through 0.11.2, where a vulnerability exists in the encryption of newly created credentials after an automatic rotation process, leading to storing credentials in plaintext on the worker's disk.
The Impact of CVE-2023-0690
The impact of this vulnerability is rated as medium severity, with a CVSS base score of 5. It requires high privileges and local access, potentially resulting in high confidentiality impact.
Technical Details of CVE-2023-0690
This section provides technical insights into the vulnerability.
Vulnerability Description
HashiCorp Boundary versions 0.10.0 through 0.11.2 fail to encrypt new credentials properly during automatic rotation when a Key Management Service is defined, leading to plaintext storage.
Affected Systems and Versions
The impacted system is HashiCorp Boundary, specifically versions 0.10.0 through 0.11.2, running on various platforms including Windows, MacOS, x86, ARM, and 64-bit and 32-bit Linux systems.
Exploitation Mechanism
The exploitation of this vulnerability requires running a Boundary worker using the PKI-based authentication method and configuring a Key Management System for worker authentication storage.
Mitigation and Prevention
In this section, we discuss how to mitigate the CVE-2023-0690 vulnerability in HashiCorp Boundary.
Immediate Steps to Take
Users are advised to upgrade to version 0.12.0 of HashiCorp Boundary. After upgrading, users should either wait for the next worker authentication rotation cycle for proper encryption or delete and re-authorize the worker to immediately generate encrypted credentials.
Long-Term Security Practices
To enhance security posture, organizations should regularly update their software to the latest versions and follow best practices in configuring and managing security-related settings.
Patching and Updates
Regularly monitoring for software updates and patches from HashiCorp can help in staying protected from known vulnerabilities and security risks. Upgrading to the latest version is crucial in addressing identified security issues promptly.