Information Disclosure in HashiCorp Vault
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.3.0 → fixed in 1.3.61.4.0 → fixed in 1.4.2
Details
HashiCorp Vault and Vault Enterprise before 1.3.6, and 1.4.2 before 1.4.2, insert Sensitive Information into a Log File. The vulnerability is affecting `github.com/hashicorp/vault/command` Go package.
The fix
changelog++
CHANGELOG.md+3 −2
@@ -29,7 +29,8 @@ BUG FIXES:## 1.4.2 (May 21st, 2020)SECURITY:-* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]+* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]+* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)]IMPROVEMENTS:@@ -216,7 +217,7 @@ BUG FIXES:## 1.3.6 (May 21st, 2020)SECURITY:-* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]+* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]BUG FIXES:
Don't include username or password of proxy env vars when
command/server.go+27 −7
@@ -445,9 +445,7 @@ func (c *ServerCommand) runRecoveryMode() int {vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration}-proxyCfg := httpproxy.FromEnvironment()-c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,-"https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)+logProxyEnvironmentVariables(c.logger)// Initialize the storage backendfactory, exists := c.PhysicalBackends[config.Storage.Type]@@ -684,6 +682,31 @@ func (c *ServerCommand) runRecoveryMode() int {return 0}+func logProxyEnvironmentVariables(logger hclog.Logger) {+proxyCfg := httpproxy.FromEnvironment()+cfgMap := map[string]string{+"http_proxy": proxyCfg.HTTPProxy,+"https_proxy": proxyCfg.HTTPSProxy,+"no_proxy": proxyCfg.NoProxy,+}+for k, v := range cfgMap {+u, err := url.Parse(v)+if err != nil {+// Env vars may contain URLs or host:port values. We only care+// about the former.+continue+}+if _, ok := u.User.Password(); ok {+u.User = url.UserPassword("redacted-username", "redacted-password")+} else if user := u.User.Username(); user != "" {+u.User = url.User("redacted-username")+}+cfgMap[k] = u.String()+}+logger.Info("proxy environment", "http_proxy", cfgMap["http_proxy"],+"https_proxy", cfgMap["https_proxy"], "no_proxy", cfgMap["no_proxy"])+}+func (c *ServerCommand) adjustLogLevel(config *server.Config, logLevelWasNotSet bool) (string, error) {var logLevelString stringif config.LogLevel != "" && logLevelWasNotSet {@@ -894,10 +917,7 @@ func (c *ServerCommand) Run(args []string) int {vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration}-// log proxy settings-proxyCfg := httpproxy.FromEnvironment()-c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,-"https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)+logProxyEnvironmentVariables(c.logger)// If mlockall(2) isn't supported, show a warning. We disable this in dev// because it is quite scary to see when first using Vault. We also disable
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13223
- WEBhttps://github.com/hashicorp/vault/commit/87f47c216cf1a28f4054b80cff40de8c9e00e36c
- WEBhttps://github.com/hashicorp/vault/commit/e52f34772affb69f3239b2cdf6523cb7cfd67a92
- PACKAGEhttps://github.com/hashicorp/vault
- WEBhttps://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020
- WEBhttps://www.hashicorp.com/blog/category/vault