CVE-2023-6337
📋 TL;DR
HashiCorp Vault versions 1.12.0 and newer are vulnerable to denial of service through memory exhaustion when processing large HTTP requests. Attackers can send specially crafted requests that cause Vault to consume all available host memory, potentially crashing the service. This affects both unauthenticated and authenticated requests.
💻 Affected Systems
- HashiCorp Vault
- HashiCorp Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete Vault service outage, loss of access to secrets, disruption of dependent applications, and potential host system instability requiring reboot.
Likely Case
Vault service crashes, requiring manual restart and causing temporary unavailability of secrets management.
If Mitigated
Limited impact with proper network controls and monitoring; service may experience performance degradation but avoids complete outage.
🎯 Exploit Status
Exploitation requires sending large HTTP requests, which is trivial with standard tools like curl or custom scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.15.4, 1.14.8, or 1.13.12
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
Restart Required: Yes
Instructions:
1. Download patched version from HashiCorp releases. 2. Stop Vault service. 3. Backup configuration and data. 4. Install patched version. 5. Restart Vault service. 6. Verify service is running correctly.
🔧 Temporary Workarounds
Request Size Limiting via Load Balancer
allConfigure load balancer or reverse proxy to reject HTTP requests exceeding reasonable size limits.
# Example nginx configuration
client_max_body_size 10m;
# Example Apache configuration
LimitRequestBody 10485760
Network Access Controls
linuxRestrict Vault API access to trusted networks and implement rate limiting.
# Example iptables rule
iptables -A INPUT -p tcp --dport 8200 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8200 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit Vault API access
- Deploy WAF or reverse proxy with request size limiting and rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Vault version with 'vault version' command and compare against affected versions.Check Version:
vault versionVerify Fix Applied:
Confirm version is 1.15.4, 1.14.8, or 1.13.12 using 'vault version' and test with controlled large request.📡 Detection & Monitoring
Log Indicators:
- High memory usage alerts
- Vault process crashes/restarts
- Large HTTP request logs (size >10MB)
Network Indicators:
- Unusually large HTTP requests to Vault API endpoints
- High volume of requests from single source
SIEM Query:
source="vault" AND ("out of memory" OR "panic" OR "fatal") OR http_request_size > 10000000🔗 References
- https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
- https://security.netapp.com/advisory/ntap-20240112-0006/
- https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
- https://security.netapp.com/advisory/ntap-20240112-0006/
