Security context
High· 7.5GHSA-rq95-xf66-j689 CVE-2021-3282CWE-287Published Jan 31, 2024

Improper Authentication in HashiCorp Vault

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.6.0 → fixed in 1.6.2

Details

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.

The fix

Backport: Fix remove peers check (#10758) (#10782)

Vishal Nayak· Jan 26, 2021, 07:57 PM+1509f9068e22
vault/logical_system_helpers.go+0 4
@@ -92,10 +92,6 @@ var (
}
checkRaw = func(b *SystemBackend, path string) error { return nil }
-
- wrapHandleRaftRemovePeer = func(b *SystemBackend) framework.OperationFunc {
- return b.handleRaftRemovePeerUpdate()
- }
)
// tuneMount is used to set config on a mount point
vault/logical_system_raft.go+1 1
@@ -82,7 +82,7 @@ func (b *SystemBackend) raftStoragePaths() []*framework.Path {
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
- Callback: wrapHandleRaftRemovePeer(b),
+ Callback: b.verifyDROperationToken(b.handleRaftRemovePeerUpdate(), false),
Summary: "Remove a peer from the raft cluster.",
},
},

References