Security context
Medium· 6.5GHSA-rpgp-9hmg-j25x CVE-2020-35177CWE-200Published Jan 31, 2024

Enumeration of users in HashiCorp Vault

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.5.0 → fixed in 1.5.61.6.0 → fixed in 1.6.1

Details

HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

The fix

Improve consistency in error messages

catsby· Dec 11, 2020, 08:29 PM+72f901a83295
builtin/credential/ldap/backend.go+4 2
@@ -12,6 +12,8 @@ import (
"github.com/hashicorp/vault/sdk/logical"
)
+const errUserBindFailed = `ldap operation failed: failed to bind as user`
+
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
b := Backend()
if err := b.Setup(ctx, conf); err != nil {
@@ -93,7 +95,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
if b.Logger().IsDebug() {
b.Logger().Debug("error getting user bind DN", "error", err)
}
- return nil, logical.ErrorResponse("ldap operation failed: unable to retrieve user bind DN"), nil, nil
+ return nil, logical.ErrorResponse(errUserBindFailed), nil, nil
}
if b.Logger().IsDebug() {
@@ -110,7 +112,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
if b.Logger().IsDebug() {
b.Logger().Debug("ldap bind failed", "error", err)
}
- return nil, logical.ErrorResponse("ldap operation failed: failed to bind as user"), nil, nil
+ return nil, logical.ErrorResponse(errUserBindFailed), nil, nil
}
// We re-bind to the BindDN if it's defined because we assume
changelog/10537.txt | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 changelog/10537.txt
changelog/10537.txt+3 0
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: Improve consistency in error messages
+```

References