HashiCorp Vault Flaw (CVE-2024-759): Unrestricted SSH Access Threatens System Security

CVE-2024-7594 - Vault Community Edition

HashiCorp, a leading provider of infrastructure automation software, has issued a critical security advisory concerning a vulnerability in its popular secrets management tool, Vault. The flaw, designated as CVE-2024-7594 and assigned a CVSS score of 7.7, affects both Vault Community Edition and Vault Enterprise versions ranging from 1.7.7 to 1.17.5. The vulnerability, if exploited, could grant attackers unrestricted SSH access to systems, potentially leading to data breaches, service disruptions, and unauthorized control over critical infrastructure.

The Problem: Unrestricted SSH Certificates

The core of the issue lies within Vault’s SSH secrets engine, a feature designed to streamline the management of SSH access to various systems. Unfortunately, a configuration oversight allowed the valid_principals list, a crucial security measure that restricts the users an SSH certificate can authenticate as, to remain unenforced by default. This oversight created a dangerous loophole, enabling attackers to acquire SSH certificates that granted them access to any user on a targeted system, effectively bypassing the intended security controls.

The Fix: Updated Vault Versions and Configuration

HashiCorp has addressed this vulnerability in Vault Community Edition 1.17.6 and Vault Enterprise 1.17.6, 1.16.10, and 1.15.15. Additionally, a new configuration option, allow_empty_principals, has been introduced to provide more control over this behavior.

HashiCorp extends its gratitude to Jörn Heissler for responsibly disclosing the CVE-2024-7594 vulnerability.

Action Required: Upgrade or Configure

Vault users are strongly encouraged to either upgrade to the patched versions or ensure that their SSH secrets engine configurations include non-empty valid_principals lists. This will prevent attackers from exploiting this vulnerability and gaining unauthorized access to sensitive systems.

Related Posts: