CVE-2023-5077 – This vulnerability in HashiCorp Vault's Google ... (How to Fix)

Q: What is the severity of CVE-2023-5077?

CVE-2023-5077 has a CVSS score of 7.6 (HIGH). This vulnerability in HashiCorp Vault's Google Cloud secrets engine removes existing IAM Conditions when creating or updating rolesets, potentially granting unintended permissions. It affects Vault and Vault Enterprise users who utilize the Google Cloud secrets engine. The issue could lead to privilege escalation or unauthorized access to Google Cloud resources.

📋 TL;DR

This vulnerability in HashiCorp Vault's Google Cloud secrets engine removes existing IAM Conditions when creating or updating rolesets, potentially granting unintended permissions. It affects Vault and Vault Enterprise users who utilize the Google Cloud secrets engine. The issue could lead to privilege escalation or unauthorized access to Google Cloud resources.

💻 Affected Systems

Products:

HashiCorp Vault
HashiCorp Vault Enterprise

Versions: All versions before 1.13.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the Google Cloud secrets engine with IAM Conditions configured.

📦 What is this software?

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized access to sensitive Google Cloud resources, modify critical infrastructure, or exfiltrate data by exploiting missing IAM Conditions that were intended to restrict access.

🟠

Likely Case

Accidental privilege escalation where users or services gain broader access than intended due to missing IAM Conditions, potentially violating least privilege principles.

🟢

If Mitigated

With proper monitoring and access controls, unauthorized access attempts would be detected and blocked, limiting the impact to audit trail anomalies.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to Vault with permissions to create or update Google Cloud rolesets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13.0

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654

Restart Required: Yes

Instructions:

1. Backup Vault configuration and data. 2. Upgrade Vault to version 1.13.0 or later. 3. Restart Vault service. 4. Verify Google Cloud rolesets have correct IAM Conditions.

🔧 Temporary Workarounds

Manual IAM Condition Verification

all

Manually verify and reapply IAM Conditions after any roleset creation or update

gcloud iam roles describe [ROLE_ID] --project=[PROJECT_ID]

🧯 If You Can't Patch

Temporarily disable Google Cloud secrets engine if not critical
Implement strict audit logging and monitoring for roleset changes

🔍 How to Verify

Check if Vulnerable:

Check Vault version with 'vault version'. If version is below 1.13.0 and Google Cloud secrets engine is enabled, system is vulnerable.

Check Version:

vault version

Verify Fix Applied:

After upgrading to 1.13.0+, create a test roleset with IAM Conditions and verify they persist after updates.

📡 Detection & Monitoring

Log Indicators:

Unusual roleset creation/modification patterns
Google Cloud API calls from unexpected sources

Network Indicators:

Increased Google Cloud API traffic from Vault instances

SIEM Query:

source="vault" AND (event="roleset_creation" OR event="roleset_update")

📊 Metadata

CVE ID: CVE-2023-5077

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-266

Published: September 29, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5077, you might also want to check these: