CVE-2024-6468 in Vaultinfo

Summary

by MITRE • 07/12/2024

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.

While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.

Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2024

The vulnerability described in CVE-2024-6468 represents a critical denial of service weakness in HashiCorp Vault and Vault Enterprise systems. This flaw specifically manifests when the TCP listener option proxy_protocol_behavior is configured to deny_unauthorized, creating a scenario where the system fails to properly handle unauthorized network connections. The vulnerability stems from an improper error handling mechanism that causes the Vault API server to completely shut down upon receiving requests from IP addresses not explicitly authorized through the proxy_protocol_authorized_addrs configuration parameter. This behavior effectively eliminates any possibility for the system to continue processing HTTP requests, rendering the entire service unavailable to legitimate users and attackers alike.

The technical implementation of this vulnerability involves the interaction between the proxy protocol handling mechanism and the access control policies within Vault's network listener configuration. When a connection attempt originates from an IP address not present in the authorized addresses list, the system's response mechanism fails catastrophically rather than gracefully rejecting the connection or logging the unauthorized attempt. This design flaw creates a condition where the entire API server process terminates, eliminating service availability for all subsequent requests. The vulnerability is classified under CWE-400, which specifically addresses "Uncontrolled Resource Consumption" or "Resource Exhaustion" in security contexts, as the system's shutdown represents a complete resource exhaustion scenario rather than merely consuming resources in a controlled manner.

From an operational impact perspective, this vulnerability presents a severe risk to organizations relying on Vault for credential management and secrets orchestration. The denial of service condition can occur without any malicious intent from the attacker, as simply connecting to the system from an unauthorized IP address triggers the shutdown mechanism. This makes the vulnerability particularly dangerous in environments where network access controls may be misconfigured or where legitimate users might connect from unexpected IP ranges. The impact extends beyond simple service interruption to potentially compromising the availability of critical secrets management infrastructure, which could affect numerous downstream applications and services that depend on Vault for secure credential provisioning.

The vulnerability affects multiple release series of Vault, including versions up to 1.17.1 and 1.16.5, though a separate regression in those release series prevented operators from actually configuring the vulnerable deny_unauthorized option. This dual nature of the vulnerability means that while the underlying code flaw existed in several versions, the actual exploitability was limited in certain release series due to configuration restrictions. The fix implemented in Vault versions 1.17.2, 1.16.6, and 1.15.12 addresses the core issue by implementing proper error handling that prevents the API server from shutting down when unauthorized connections are received. This remediation aligns with ATT&CK technique T1499.004, which covers "Toggle Service State" and related denial of service tactics, by ensuring that the system maintains operational availability regardless of connection source legitimacy.

Organizations should immediately prioritize upgrading to the patched versions to eliminate this vulnerability, as the denial of service condition can be triggered by simple network connectivity attempts without requiring sophisticated exploitation techniques. The configuration parameters surrounding proxy_protocol_behavior and proxy_protocol_authorized_addrs should be carefully reviewed and properly maintained to ensure that legitimate access controls are preserved while preventing unauthorized access. Additionally, monitoring systems should be implemented to detect unusual patterns of connection attempts that might indicate attempts to exploit this vulnerability or simply trigger the denial of service condition through legitimate but unauthorized network access patterns.

Responsible

HashiCorp

Reservation

07/03/2024

Disclosure

07/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00491

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!