SB2023033012 - Multiple vulnerabilities in HashiCorp Vault and Vault Enterprise

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2023-0620)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data when using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

2) Input validation error (CVE-ID: CVE-2023-0665)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the PKI mount issuer endpoints do not correctly authorize access to remove an issuer or modify issuer metadata. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Information disclosure (CVE-ID: CVE-2023-25000)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the Shamir implementation uses precomputed table lookups. A remote user can perform a cache-timing attack and recover the Shamir shares.

Remediation

Install update from vendor's website.

References

• https://discuss.hashicorp.com/t/hcsec-2023-12-vault-s-microsoft-sql-database-storage-backend-vulnerable-to-sql-injection-via-configuration-file/52080/1
• https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1
• https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078