Описание
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
A flaw was found in github.com/hashicorp/vault. This vulnerability allows a privileged Vault operator with write access to the root namespace’s identity endpoint to manipulate token privileges, effectively elevating another user’s token to the Vault root policy. This privilege escalation occurs through crafted writes to the identity endpoint. An attacker can obtain unauthorized root access to the Vault system, allowing complete control over the Vault instance.
Отчет
This vulnerability is Important rather than Moderate because it enables direct privilege escalation to the Vault root policy, granting unrestricted administrative control over the entire Vault environment. While the attacker must already have write access to the root namespace’s identity endpoint, that permission alone does not normally confer root-level authority—this flaw breaks the intended privilege separation model. By exploiting it, an attacker can craft malicious writes to the identity endpoint to bind their own or another user’s token to the root policy, bypassing all policy restrictions. With root access, the attacker can exfiltrate every stored secret, modify or delete sensitive data, disable audit logs to cover tracks, and introduce persistent backdoors.
Меры по смягчению последствий
Until you can upgrade to a fixed release, mitigation options include applying Sentinel EGP policies to prevent assignment of the root policy via the identity API, and closely monitoring Vault audit logs for tokens with "identity_policies": ["root"].
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| external secrets operator for Red Hat OpenShift - Tech Preview | external-secrets-operator/external-secrets-operator-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/cephcsi-rhel9 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-cli-rhel9 | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/mcg-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-cli-rhel9 | Affected | ||
| Red Hat Trusted Artifact Signer | rhtas/client-server-rhel9 | Will not fix | ||
| Red Hat Trusted Artifact Signer | rhtas/fulcio-rhel9 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.2 High
CVSS3
Связанные уязвимости
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
Hashicorp Vault has Privilege Escalation Vulnerability
Уязвимость платформ для архивирования корпоративной информации Vault Enterprise и Vault Community Edition, связанная с некорректным присваиванием привилегий, позволяющая нарушителю повысить свои привилегии до root уровня
EPSS
7.2 High
CVSS3