CVE-2021-3282 – HashiCorp Vault Enterprise versions 1.6.0 and 1... (How to Fix)

Q: What is the severity of CVE-2021-3282?

CVE-2021-3282 has a CVSS score of 7.5 (HIGH). HashiCorp Vault Enterprise versions 1.6.0 and 1.6.1 allow unauthenticated execution of the 'remove-peer' raft operator command on DR (Disaster Recovery) secondaries. This vulnerability enables attackers to disrupt cluster operations by removing nodes without authentication. Only Vault Enterprise deployments with DR secondaries are affected.

📋 TL;DR

HashiCorp Vault Enterprise versions 1.6.0 and 1.6.1 allow unauthenticated execution of the 'remove-peer' raft operator command on DR (Disaster Recovery) secondaries. This vulnerability enables attackers to disrupt cluster operations by removing nodes without authentication. Only Vault Enterprise deployments with DR secondaries are affected.

💻 Affected Systems

Products:

HashiCorp Vault Enterprise

Versions: 1.6.0 through 1.6.1

Operating Systems: All platforms running Vault Enterprise

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with DR (Disaster Recovery) secondaries configured. Standard Vault Enterprise without DR secondaries is not vulnerable.

📦 What is this software?

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could remove all DR secondary nodes from the raft cluster, causing complete loss of disaster recovery capability and potentially disrupting primary cluster operations if nodes are removed during critical operations.

🟠

Likely Case

Unauthorized removal of DR secondary nodes leading to loss of redundancy, potential data inconsistency, and disruption of disaster recovery failover capabilities.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to authorized administrators only, maintaining normal cluster operations.

🌐 Internet-Facing: LOW - Vault clusters should never be directly internet-facing; this requires network access to cluster management ports.

🏢 Internal Only: HIGH - If an attacker gains internal network access to Vault cluster management interfaces, they can disrupt disaster recovery capabilities without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to Vault cluster management ports (typically TCP 8201 for raft). The command is simple to execute once network access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.2 or later

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337

Restart Required: Yes

Instructions:

1. Download Vault Enterprise 1.6.2 or later from HashiCorp. 2. Stop Vault service on all nodes. 3. Replace binary with patched version. 4. Restart Vault service on all nodes. 5. Verify cluster health and DR secondary status.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to Vault cluster management ports (typically TCP 8201) to only trusted administrative networks and systems.

# Example iptables rule to restrict access to Vault raft port
# iptables -A INPUT -p tcp --dport 8201 -s 10.0.0.0/24 -j ACCEPT
# iptables -A INPUT -p tcp --dport 8201 -j DROP

Disable DR Secondaries

all

Temporarily disable DR secondaries if they are not immediately needed for disaster recovery.

# On DR secondary: vault operator raft list-peers
# On DR secondary: vault operator raft remove-peer -peer-id=<id> (if needed for legitimate removal)

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with Vault cluster management ports
Monitor raft operator commands and alert on any 'remove-peer' operations, especially from unauthorized sources

🔍 How to Verify

Check if Vulnerable:

Check Vault version: 'vault version'. If output shows 1.6.0 or 1.6.1 and DR secondaries are configured, the system is vulnerable.

Check Version:

vault version

Verify Fix Applied:

After patching, verify version is 1.6.2 or later with 'vault version'. Test that 'remove-peer' command now requires proper authentication on DR secondaries.

📡 Detection & Monitoring

Log Indicators:

Unauthorized 'remove-peer' operations in Vault audit logs
Unexpected node removals from raft cluster
DR secondary nodes becoming unavailable

Network Indicators:

Unexpected connections to Vault raft port (8201) from unauthorized sources
raft RPC commands from non-admin systems

SIEM Query:

source="vault" AND ("remove-peer" OR "raft operator" OR "peer removal") AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2021-3282

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-287

Published: February 1, 2021

Last Updated: November 21, 2024

🔗 References

https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337 Vendor Advisory
https://security.gentoo.org/glsa/202207-01 Third Party Advisory
https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337 Vendor Advisory
https://security.gentoo.org/glsa/202207-01 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3282, you might also want to check these: