Security context
High· 7.5GHSA-25xj-89g5-fm6h CVE-2020-13223CWE-200CWE-532Published May 18, 2021

Information Disclosure in HashiCorp Vault

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.3.0 → fixed in 1.3.61.4.0 → fixed in 1.4.2

Details

HashiCorp Vault and Vault Enterprise before 1.3.6, and 1.4.2 before 1.4.2, insert Sensitive Information into a Log File. The vulnerability is affecting `github.com/hashicorp/vault/command` Go package.

The fix

changelog++

Meggie· May 21, 2020, 09:21 PM+3287f47c216c
CHANGELOG.md+3 2
@@ -29,7 +29,8 @@ BUG FIXES:
## 1.4.2 (May 21st, 2020)
SECURITY:
-* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
+* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
+* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)]
IMPROVEMENTS:
@@ -216,7 +217,7 @@ BUG FIXES:
## 1.3.6 (May 21st, 2020)
SECURITY:
-* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
+* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
BUG FIXES:

Don't include username or password of proxy env vars when

ncabatoff· May 19, 2020, 02:07 PM+277e52f34772a
command/server.go+27 7
@@ -445,9 +445,7 @@ func (c *ServerCommand) runRecoveryMode() int {
vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
}
- proxyCfg := httpproxy.FromEnvironment()
- c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,
- "https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)
+ logProxyEnvironmentVariables(c.logger)
// Initialize the storage backend
factory, exists := c.PhysicalBackends[config.Storage.Type]
@@ -684,6 +682,31 @@ func (c *ServerCommand) runRecoveryMode() int {
return 0
}
+func logProxyEnvironmentVariables(logger hclog.Logger) {
+ proxyCfg := httpproxy.FromEnvironment()
+ cfgMap := map[string]string{
+ "http_proxy": proxyCfg.HTTPProxy,
+ "https_proxy": proxyCfg.HTTPSProxy,
+ "no_proxy": proxyCfg.NoProxy,
+ }
+ for k, v := range cfgMap {
+ u, err := url.Parse(v)
+ if err != nil {
+ // Env vars may contain URLs or host:port values. We only care
+ // about the former.
+ continue
+ }
+ if _, ok := u.User.Password(); ok {
+ u.User = url.UserPassword("redacted-username", "redacted-password")
+ } else if user := u.User.Username(); user != "" {
+ u.User = url.User("redacted-username")
+ }
+ cfgMap[k] = u.String()
+ }
+ logger.Info("proxy environment", "http_proxy", cfgMap["http_proxy"],
+ "https_proxy", cfgMap["https_proxy"], "no_proxy", cfgMap["no_proxy"])
+}
+
func (c *ServerCommand) adjustLogLevel(config *server.Config, logLevelWasNotSet bool) (string, error) {
var logLevelString string
if config.LogLevel != "" && logLevelWasNotSet {
@@ -894,10 +917,7 @@ func (c *ServerCommand) Run(args []string) int {
vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
}
- // log proxy settings
- proxyCfg := httpproxy.FromEnvironment()
- c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,
- "https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)
+ logProxyEnvironmentVariables(c.logger)
// If mlockall(2) isn't supported, show a warning. We disable this in dev
// because it is quite scary to see when first using Vault. We also disable

References