SB2021042180 - Multiple vulnerabilities in Vault Enterprise

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2021-29653)

The vulnerability allows a remote user to bypass certificate revocation checks.

The vulnerability exists due to improper certificate revocation handling in the PKI Secrets Engine CRL generation logic when processing a tidy operation with tidy_revoked_certs enabled. A remote user can use a revoked but unexpired certificate to bypass certificate revocation checks.

Exploitation requires use of the PKI revocation mechanism and enforcement of the generated certificate revocation list, and only occurs when the tidy_revoked_certs setting is enabled.

2) Improper Certificate Validation (CVE-ID: CVE-2021-27400)

The vulnerability allows a remote attacker to intercept encrypted connections.

The vulnerability exists due to improper certificate validation in the Cassandra storage backend and Cassandra database secrets engine plugin when connecting to Cassandra clusters over TLS. A remote attacker can present an untrusted certificate to intercept encrypted connections.

Remediation

Install update from vendor's website.

References

• https://discuss.hashicorp.com/t/hcsec-2021-09-vault-s-pki-engine-crl-may-exclude-revoked-but-unexpired-certificates-after-tidy/23461
• https://discuss.hashicorp.com/t/hcsec-2021-10-vault-s-cassandra-integrations-did-not-validate-tls-certificates/23463