CVE-2023-0665
📋 TL;DR
This vulnerability in HashiCorp Vault's PKI mount allows unauthorized users to delete or modify PKI issuer metadata, potentially causing denial of service for the PKI mount. It affects Vault deployments with PKI mounts enabled. The vulnerability does not compromise cryptographic keys or certificate issuance capabilities.
💻 Affected Systems
- HashiCorp Vault
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Malicious actor deletes critical PKI issuers, causing complete PKI mount failure and disrupting all certificate operations until manual restoration.
Likely Case
Unauthorized modification or deletion of issuer metadata causing temporary PKI service disruption until administrators restore configurations.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized users making accidental changes.
🎯 Exploit Status
Exploitation requires authenticated access to Vault but bypasses authorization checks for PKI issuer endpoints. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault 1.13.1, 1.12.5, or 1.11.9
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1
Restart Required: Yes
Instructions:
1. Backup Vault configuration and data. 2. Download patched Vault version from HashiCorp releases. 3. Stop Vault service. 4. Replace Vault binary with patched version. 5. Restart Vault service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Restrict PKI mount access
allTighten Vault policies to limit access to PKI mount endpoints
vault policy write restricted-pki - <<EOF
path "pki/*" {
capabilities = ["read"]
}
EOF
Disable PKI mounts temporarily
allDisable unused PKI mounts to reduce attack surface
vault secrets disable pki/
🧯 If You Can't Patch
- Implement strict network access controls to limit Vault API access to authorized administrators only
- Enable detailed audit logging for all PKI mount operations and monitor for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check Vault version with 'vault version' command. If version is earlier than 1.13.1, 1.12.5, or 1.11.9 and PKI mounts are enabled, system is vulnerable.Check Version:
vault versionVerify Fix Applied:
After patching, verify version shows 1.13.1, 1.12.5, or 1.11.9 or later. Test PKI issuer modification with unauthorized token to confirm authorization is enforced.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /v1/pki/issuer/* endpoints
- PKI issuer deletion or modification events from unexpected users
Network Indicators:
- HTTP DELETE/POST requests to PKI issuer endpoints from unauthorized sources
SIEM Query:
source="vault_audit" AND (path="/v1/pki/issuer/*" AND (operation="delete" OR operation="update")) AND NOT user="authorized_admin"🔗 References
- https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1
- https://security.netapp.com/advisory/ntap-20230526-0008/
- https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1
- https://security.netapp.com/advisory/ntap-20230526-0008/
