SB2022031039 - Multiple vulnerabilities in Vault Enterprise

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2022-25243)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to software allows the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. A remote user can bypass implemented security restriction and issue wildcard certificates.

2) Information disclosure (CVE-ID: CVE-2022-25244)

The vulnerability allows a remote user to disclose the tokenization transform key.

The vulnerability exists due to improper access control in the tokenization key configuration endpoint when handling read requests for key configuration. A remote user can read a requested key configuration that incorrectly includes the base64-encoded key to disclose the tokenization transform key.

Exploitation requires read permissions on the authenticated endpoint. Reversing tokenized values also requires access to tokenization state values and, in the default non-exportable mode, end-user-device tokens.

Remediation

Install update from vendor's website.

References

• https://discuss.hashicorp.com/t/hcsec-2022-09-vault-pki-secrets-engine-policy-results-in-incorrect-wildcard-certificate-issuance/36600
• https://discuss.hashicorp.com/t/hcsec-2022-08-vault-enterprise-s-tokenization-transform-configuration-endpoint-may-expose-transform-key/36599