Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN281 _____________________________________________________________________ DATE : 06/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running hashicorp/vault (Go) versions prior to 1.19.1, 1.18.7, 1.17.14, 1.16.18. ===================================================================== https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716 https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 _____________________________________________________________________ HCSEC-2025-07 - Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login Security security-vault mickael May 2, 2025, 2:52pm 1 Bulletin ID: HCSEC-2025-07 Affected Products / Versions: Vault Community Edition from 0.10.0 up to 1.19.0, fixed in 1.19.1. Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13, 1.16.17, fixed in 1.19.1, 1.18.7, 1.17.14, 1.16.18. Publication Date: May 2, 2025 Summary Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. This vulnerability, identified as CVE-2025-3879, is fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. Background The Azure auth method authenticates users or machines to Vault using an assertion signed by Azure Active Directory for a configured tenant. The Azure auth method’s bound_locations parameter can be set by an operator to enforce geographical restrictions for logins to Vault. Details The user-provided vm_name or vmss_name login parameters were not validated against the Azure-issued token claims. Setting a vm_name or vmss_name that would satisfy the login requirements could be used to bypass the bound_location restriction. The Azure auth method will now require the user-provided resource_group_name, vm_name, vmss_name parameters to match the Azure AD token claims on login. More information can be found in Azure - Auth Methods | Vault | HashiCorp Developer. Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.19.1, 1.18.7, 1.17.14, 1.16.18, or newer. Please refer to Upgrading Vault for general guidance. Acknowledgement This issue was identified by HashiCorp’s external security assessment partner. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. _____________________________________________________________________ HCSEC-2025-09 - Vault May Expose Sensitive Information in Error Logs When Processing Malformed Data With the KV v2 Plugin Security security-vault mark.collao May 2, 2025, 2:53pm 1 Bulletin ID: HCSEC-2025-09 Affected Products / Versions: Vault Community Edition from 0.3.0 up to 1.19.2, fixed in 1.19.3. Vault Enterprise from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15, 1.16.19, fixed in 1.19.3, 1.18.9, 1.17.16, 1.16.20. Publication Date: May 2, 2024 Summary Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20. Background The kv secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault. This secrets engine can run in one of two modes; store a single value for a key, or store a number of versions for each key and maintain the record of them. More information can be found at, https://developer.hashicorp.com/vault/docs/secrets/kv Details When creating or updating secrets using the KV v2 plugin through the REST API, Vault inadvertently logged the value of the secret when an error occurred in the server logs and audit logs. The inadvertent logging only affected operations if a payload was sent incorrectly, such as improperly formatted JSON. Normal operations through the UI or CLI are unaffected. Remediation Customers with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching. More information on viewing audit and server logs can be found at, Troubleshoot Vault | Vault | HashiCorp Developer Audit Log {"auth":{"token_type":"default"},"error":"error converting input for field \"data\": '' expected a map, got 'string'","request":{"client_token":"","client_token_accessor":"","data":{"data":""},"id":"","":"","mount_class":"secret","mount_point":"kv/","mount_type":"kv","mount_running_version":"","namespace":{""},"operation":"update","path":"","remote_address":"","remote_port":},"time":"","type":"request"} Server Log [ERROR] core: failed to run existence check: error="error converting input for field \"data\": '' expected a map, got 'string'" If any matches are found, rotating the affected secret is advised. Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.19.3, 1.18.9, 1.17.16, 1.16.20, or newer. Please refer to Upgrading Vault for general guidance. Acknowledgement This issue was identified by the Vault engineering team. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================