Login Sign Up

CVE-2020-24359

7.5 HIGH
Authentication Bypass

📋 TL;DR

HashiCorp vault-ssh-helper versions up to 0.1.6 incorrectly accept Vault-issued SSH OTPs for an entire subnet rather than a specific IP address, allowing attackers to use OTPs intended for one host to authenticate to any host in the same subnet. This affects organizations using vault-ssh-helper for SSH authentication with Vault OTPs.

💻 Affected Systems

Products:
  • HashiCorp vault-ssh-helper
Versions: All versions up to and including 0.1.6
Operating Systems: All supported OS (Linux, Unix variants)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using Vault-issued SSH OTPs for authentication.

📦 What is this software?

Vault Ssh Helper by Hashicorp

View all CVEs affecting Vault Ssh Helper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with a valid OTP for any host in a subnet could gain unauthorized SSH access to all hosts in that subnet, potentially leading to lateral movement and full network compromise.

🟠

Likely Case

Unauthorized SSH access to multiple hosts within the same subnet, enabling privilege escalation and data exfiltration.

🟢

If Mitigated

Limited to isolated network segments with strict access controls, reducing lateral movement potential.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires obtaining a valid OTP for any host in the target subnet, which could be intercepted or obtained through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.0

Vendor Advisory: https://github.com/hashicorp/vault-ssh-helper/blob/master/CHANGELOG.md#020-august-19-2020

Restart Required: Yes

Instructions:

1. Download vault-ssh-helper version 0.2.0 or later from the official releases page. 2. Replace the existing binary with the new version. 3. Restart the vault-ssh-helper service on all affected hosts.

🔧 Temporary Workarounds

Network segmentation

all

Isolate hosts into smaller subnets to limit the scope of potential OTP misuse.

Restrict SSH access

linux

Use firewall rules to limit SSH connections to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 22 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to minimize subnet sizes.
  • Monitor SSH authentication logs for unusual patterns or OTP reuse across hosts.

🔍 How to Verify

Check if Vulnerable:

Check the vault-ssh-helper version: vault-ssh-helper --version. If version is 0.1.6 or earlier, the system is vulnerable.

Check Version:

vault-ssh-helper --version

Verify Fix Applied:

After updating, verify the version is 0.2.0 or later and test SSH authentication with OTPs to ensure they are validated against specific IP addresses.

📡 Detection & Monitoring

Log Indicators:

  • Multiple SSH authentication attempts from the same OTP across different IPs in a subnet
  • SSH logins from unexpected IPs using valid OTPs

Network Indicators:

  • Unusual SSH traffic patterns between hosts in the same subnet

SIEM Query:

source="ssh_logs" AND ("OTP" OR "vault-ssh-helper") AND (duplicate_otp OR multiple_hosts)

📊 Metadata

CVE ID: CVE-2020-24359
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-20
Published: August 20, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24359, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)