Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN502
_____________________________________________________________________

DATE                : 12/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache CXF versions prior to
                               4.1.3, 4.0.9, 3.6.8, 3.5.11.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
_____________________________________________________________________

 HCSEC-2025-20 - Vault LDAP MFA Enforcement Bypass When Using
Username As Alias

Aug 6
mickael


Bulletin ID: HCSEC-2025-20

Affected Products / Versions: Vault Community Edition from 1.10.0
up to 1.20.1, fixed in 1.20.2.
Vault Enterprise from 1.10.0 up to 1.20.1, 1.19.7, 1.18.12, 1.16.23,
1.15.16, fixed in 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

Publication Date: August 6, 2025


Summary
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not
have correctly enforced MFA if username_as_alias was set to true
and a user had multiple CNs that are equal but with leading or
trailing spaces. This vulnerability, CVE-2025-6013, is fixed in
Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2,
1.19.8, 1.18.13, and 1.16.24.


Background
Vault’s ldap auth method allows authentication using an existing
LDAP server and user/password credentials. The optional username
as_alias parameter allows the ldap username to be used as the
alias name for the ldap auth method.

Vault’s login MFA provides a means to link an existing auth
method or entity within the auth method to additional
authentication factors, such as TOTP. TOTP can be enforced
for any auth method, identity group or entity ids.


Details
LDAP usernames containing additional whitespaces may be valid
and result in a successful authentication from the ldap backend
after normalization. When setting the alias name on successful
login, the ldap auth method would set the entity alias name to
the value provided by the user rather than using the normalized
user DN information returned by the ldap directory.

Due to these inconsistencies in normalizing strings with
additional spaces, entity alias names and potentially duplicate
entity alias ids resulted in MFA enforcement not being respected
in some configurations.


Remediation
Customers should evaluate the risk associated with this issue
and consider upgrading to Vault Community Edition 1.20.2 or
Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. Please
refer to Upgrading Vault for general guidance.


Acknowledgement
This issue was identified by Yarden Porat of Cyata Security
who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of
security vulnerabilities. For information about security at
HashiCorp and the reporting of security vulnerabilities,
please see https://hashicorp.com/security.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================