CVE-2024-9180: HashiCorp Vault Vulnerability Could Lead to Privilege Escalation
HashiCorp has issued a security bulletin disclosing a vulnerability in its Vault secret management platform that could allow attackers to escalate their privileges to the highly sensitive root policy.
Tracked as CVE-2024-9180 and assigned a CVSSv3 score of 7.2, this vulnerability stems from “the mishandling of entries in Vault’s in-memory entity cache.” The bulletin explains that a malicious actor with “write permissions to the root namespace’s identity endpoint could manipulate their cached entity record through the identity API endpoint on a Vault node, potentially escalating their privileges to Vault’s root policy on this node.”
Essentially, this means an attacker could exploit this flaw to gain complete control over the Vault instance, potentially compromising sensitive data and disrupting critical operations.
Fortunately, the impact of this vulnerability is somewhat limited. HashiCorp clarifies that “the manipulated entity record was not propagated across the cluster or persisted to the storage backend, and would be cleared on server restarts.”
Furthermore, the vulnerability only affects entities in the root namespace and does not impact those within standard or administrative namespaces. HCP Vault Dedicated is also unaffected due to its reliance on administrative namespaces.
Nevertheless, HashiCorp urges all Vault users to “evaluate the risk associated with this issue and consider upgrading” to a patched version. Remediation is available in the following releases:
- Vault Community Edition: 1.18.0
- Vault Enterprise: 1.18.0, 1.17.7, 1.16.11, 1.15.16
As an alternative to upgrading, HashiCorp suggests implementing Sentinel EGP policies or modifying the default policy to restrict access to the identity endpoint. Additionally, monitoring Vault audit logs for entries containing “root” within the “identity_policy” array can help detect potential exploitation attempts.
