CVE-2023-4680 : What You Need to Know
Learn about CVE-2023-4680 in HashiCorp's Vault Transit Secrets Engine, impacting versions 1.6.0 to 1.12.0. Mitigation steps and impact details included.
This CVE was published by HashiCorp on September 14, 2023, and relates to an issue in the Vault's Transit Secrets Engine that allowed nonce to be specified without convergent encryption.
Understanding CVE-2023-4680
This vulnerability in HashiCorp's Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, when combined with an offline attack, could potentially be exploited to decrypt arbitrary ciphertext and derive the authentication subkey. This vulnerability was introduced in version 1.6.0 and was resolved in versions 1.14.3, 1.13.7, and 1.12.11.
What is CVE-2023-4680?
CVE-2023-4680 is classified under the CWE-20 category, which pertains to improper input validation.
The Impact of CVE-2023-4680
The impact of this vulnerability is rated as 'MEDIUM' based on the CVSS v3.1 evaluation. It has a base score of 6.8, with high confidentiality and integrity impacts. The attack vector is through the network, with high attack complexity, low privileges required, and no user interaction necessary. The scope remains unchanged, and there is no availability impact.
Technical Details of CVE-2023-4680
This section provides an overview of the vulnerability, affected systems and versions, as well as the exploitation mechanism.
Vulnerability Description
The vulnerability in the Transit Secrets Engine of HashiCorp's Vault and Vault Enterprise allowed for the arbitrary specification of nonces even with convergent encryption disabled. This could lead to potential decryption of arbitrary ciphertext and extraction of the authentication subkey.
Affected Systems and Versions
The affected products include HashiCorp's Vault and Vault Enterprise on various platforms such as Windows, MacOS, Linux, x86, ARM, in both 64-bit and 32-bit configurations. The versions impacted are less than 1.14.3, 1.13.7, 1.12.11, and 1.12.0.
Exploitation Mechanism
The exploit involved leveraging the encrypt endpoint in conjunction with an offline attack to gain access to arbitrary ciphertext and potentially derive the authentication subkey when using the transit secrets engine without convergent encryption.
Mitigation and Prevention
To address CVE-2023-4680, immediate steps should be taken to secure affected systems and implement long-term security practices. Additionally, applying patches and updates is crucial to mitigating the risk posed by this vulnerability.
Immediate Steps to Take
Users are advised to update their HashiCorp Vault and Vault Enterprise installations to versions 1.14.3, 1.13.7, or 1.12.11 to eliminate the vulnerability. It is also recommended to review and restrict the ability to specify arbitrary nonces.
Long-Term Security Practices
Implementing secure coding practices, regularly updating software, conducting security assessments, and maintaining robust access controls are essential for enhancing the overall security posture and minimizing similar vulnerabilities in the future.
Patching and Updates
HashiCorp has released patches to address the vulnerability in the affected versions. Users are encouraged to apply these patches promptly to mitigate the risk associated with CVE-2023-4680.