Software could expose users’ secrets when configured with AWS and Google Cloud
Two vulnerabilities in HashiCorp Vault could allow an attacker to bypass authentication checks in Amazon Web Services (AWS) and Google Cloud Platform (GCP) configurations.
HashiCorp Vault is a widely used cloud-native software that can store, generate, and access secrets such as API keys, credentials, and certificates.
The technology can provide temporary credentials to services or third-party resources such as an AWS S3 bucket, explains Felix Wilhelm of Google’s Project Zero in a blog post.
“However, a central storage is also a very interesting target for an attacker. Exploiting a vulnerability in Vault could give an attacker full access to a wide range of important secrets and large parts of the target's infrastructure,” the post reads.
Keys to the Vault
HashiCorp Vault can be configured with popular resources including AWS and GCP.
Wilhelm detailed how two vulnerabilities in the secrets management software could lead to authentication bypass in configurations that use both AWS and GCP.
The first vulnerability enables an attacker to bypass authentication within the HashiCorp Vault Server for configurations with AWS.
The second vulnerability is a complex logic bug in the authentication process for deployments on Google Cloud.
Since the server shares the same code for two different authentication methods, the author is able to bypass authentication by tampering with the request parameters.
More details about the process can be found in the blog post.
Wilhelm said these vulnerabilities highlight the pitfalls of interacting with external systems and services.
The researcher wrote: “A strong developer might be able to reason about all security boundaries, requirements and pitfalls of their own software, but it becomes very difficult once a complex external service comes into play.
“Modern cloud IAM solutions are powerful and often more secure than comparable on-premise solutions, but they come with their own security pitfalls and a high implementation complexity.
“As more and more companies move to the big cloud providers, familiarity with these technology stacks will become a key skill for security engineers and researchers and it is safe to assume that there will be a lot of similar issues in the next few years.”
Wilhelm added: “Even with memory-safe languages, strong cryptography primitives, static analysis and large fuzzing infrastructure, some issues can only be discovered by manual code review and an attacker mindset.”
The security issues outlined in Google Zero’s latest technical write-up have all been patched by the respective vendors.