CVE-2021-27400
📋 TL;DR
HashiCorp Vault's Cassandra integrations failed to validate TLS certificates when connecting to Cassandra clusters, allowing man-in-the-middle attacks. This affects Vault deployments using Cassandra as storage backend or database secrets engine. Attackers could intercept or manipulate sensitive data transmitted between Vault and Cassandra.
💻 Affected Systems
- HashiCorp Vault
- HashiCorp Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of Vault secrets database, credential theft, and data manipulation leading to complete system compromise.
Likely Case
Interception of sensitive secrets and credentials transmitted between Vault and Cassandra, enabling lateral movement.
If Mitigated
Limited impact if network segmentation isolates Vault-Cassandra traffic or if alternative storage backends are used.
🎯 Exploit Status
Exploitation requires network access to Vault-Cassandra communication path. No authentication bypass needed once in position.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4 and 1.7.1
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-10-vault-s-cassandra-integrations-did-not-validate-tls-certificates/23463
Restart Required: Yes
Instructions:
1. Backup Vault data. 2. Upgrade to Vault 1.6.4 or 1.7.1. 3. Restart Vault service. 4. Verify TLS validation is working.
🔧 Temporary Workarounds
Switch to alternative storage backend
allMigrate from Cassandra to another supported storage backend like Consul, Raft, or filesystem.
vault operator migrate -config migrate.hcl
Network segmentation
allIsolate Vault and Cassandra servers in a dedicated network segment with strict access controls.
🧯 If You Can't Patch
- Implement strict network segmentation between Vault and Cassandra servers
- Use VPN or encrypted tunnel for all Vault-Cassandra communications
🔍 How to Verify
Check if Vulnerable:
Check Vault version and Cassandra configuration. If using Cassandra backend/plugin with version <1.6.4 or between 1.7.0-1.7.0, you are vulnerable.Check Version:
vault versionVerify Fix Applied:
After upgrade, test Cassandra TLS connection validation by attempting to connect with invalid certificate (should fail).📡 Detection & Monitoring
Log Indicators:
- Failed TLS handshake attempts to Cassandra
- Unexpected Cassandra connection sources
Network Indicators:
- Unencrypted traffic between Vault and Cassandra on expected TLS ports
- MITM tools like sslstrip in network traffic
SIEM Query:
source="vault" AND ("cassandra" OR "tls") AND ("certificate" OR "validation")