Login Sign Up

CVE-2021-30476

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in HashiCorp Terraform's Vault Provider incorrectly configures GCE-type bound labels for Vault's GCP authentication method, potentially allowing unauthorized access to Vault secrets. It affects organizations using Terraform to manage Vault with GCP authentication. The misconfiguration could bypass intended access controls.

💻 Affected Systems

Products:
  • HashiCorp Terraform Vault Provider
Versions: Versions before 2.19.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects configurations using Vault's GCP auth method with GCE-type bound labels via Terraform.

📦 What is this software?

Terraform Provider by Hashicorp

View all CVEs affecting Terraform Provider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized access to all Vault secrets, potentially compromising sensitive credentials, certificates, and encryption keys across the entire infrastructure.

🟠

Likely Case

Unauthorized access to Vault secrets by GCP entities that should be restricted, leading to credential theft and privilege escalation within cloud environments.

🟢

If Mitigated

With proper network segmentation and additional authentication layers, impact would be limited to specific Vault instances using vulnerable configurations.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to GCP environment and knowledge of vulnerable Terraform configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.19.1

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-11-terraform-s-vault-provider-did-not-correctly-configure-bound-labels-for-gcp-auth/23464/2

Restart Required: No

Instructions:

1. Update terraform-provider-vault to version 2.19.1 or later. 2. Run 'terraform init -upgrade' to update provider. 3. Apply Terraform configuration changes. 4. Verify GCP auth method configurations are correct.

🔧 Temporary Workarounds

Manual GCP Auth Configuration

all

Configure Vault's GCP auth method manually via Vault CLI/API instead of Terraform provider

vault write auth/gcp/config credentials=@gcp-creds.json
vault write auth/gcp/role/my-role type="gce" bound_labels="key=value" policies="default"

Disable GCP Auth Method

all

Temporarily disable GCP authentication method if not essential

vault auth disable gcp

🧯 If You Can't Patch

  • Implement network-level access controls to restrict Vault access to trusted IP ranges only.
  • Enable additional authentication factors (MFA) for Vault access and implement strict secret access policies.

🔍 How to Verify

Check if Vulnerable:

Check Terraform configuration files for 'terraform-provider-vault' version <2.19.1 and GCP auth method configurations with bound labels.

Check Version:

terraform version | grep -A5 'terraform-provider-vault'

Verify Fix Applied:

Verify provider version is ≥2.19.1 with 'terraform version' and validate GCP auth configurations in Vault.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns from GCP entities in Vault audit logs
  • Failed authentication attempts followed by successful access from unexpected GCP resources

Network Indicators:

  • Vault API requests from unexpected GCP IP ranges
  • Authentication requests without proper GCP metadata

SIEM Query:

source="vault-audit" (gcp_auth OR gce_auth) AND result="success" | stats count by entity_id, source_ip

📊 Metadata

CVE ID: CVE-2021-30476
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 22, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON