#VU97751 Improper authentication in Vault and Vault Enterprise - CVE-2024-7594

Vulnerability identifier: #VU97751

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-7594

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Vault
Web applications / Modules and components for CMS
Vault Enterprise
Web applications / Modules and components for CMS

Vendor: HashiCorp

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Vault: 1.7.8 - 1.7.10, 1.8.0 - 1.8.12, 1.9.0 - 1.9.10, 1.10.0 - 1.17.5

Vault Enterprise: 1.7.8 - 1.7.10, 1.8.0 - 1.8.12, 1.9.0 - 1.9.10, 1.10.0 - 1.17.5

---

External links
https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.