Enumeration of users in HashiCorp Vault
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.5.0 → fixed in 1.5.61.6.0 → fixed in 1.6.1
Details
HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.
The fix
Improve consistency in error messages
builtin/credential/ldap/backend.go+4 −2
@@ -12,6 +12,8 @@ import ("github.com/hashicorp/vault/sdk/logical")+const errUserBindFailed = `ldap operation failed: failed to bind as user`+func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {b := Backend()if err := b.Setup(ctx, conf); err != nil {@@ -93,7 +95,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username striif b.Logger().IsDebug() {b.Logger().Debug("error getting user bind DN", "error", err)}-return nil, logical.ErrorResponse("ldap operation failed: unable to retrieve user bind DN"), nil, nil+return nil, logical.ErrorResponse(errUserBindFailed), nil, nil}if b.Logger().IsDebug() {@@ -110,7 +112,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username striif b.Logger().IsDebug() {b.Logger().Debug("ldap bind failed", "error", err)}-return nil, logical.ErrorResponse("ldap operation failed: failed to bind as user"), nil, nil+return nil, logical.ErrorResponse(errUserBindFailed), nil, nil}// We re-bind to the BindDN if it's defined because we assumechangelog/10537.txt | 3 +++1 file changed, 3 insertions(+)create mode 100644 changelog/10537.txt
changelog/10537.txt+3 −0
@@ -0,0 +1,3 @@+```release-note:improvement+auth/ldap: Improve consistency in error messages+```