CVE-2024-1052 – Boundary and Boundary Enterprise are vulnerable... (How to Fix)

Q: What is the severity of CVE-2024-1052?

CVE-2024-1052 has a CVSS score of 8.0 (HIGH). Boundary and Boundary Enterprise are vulnerable to session hijacking through TLS certificate tampering. Attackers with specific privileges can craft TLS certificates to hijack active sessions and access underlying services. This affects organizations using Boundary for secure remote access.

📋 TL;DR

Boundary and Boundary Enterprise are vulnerable to session hijacking through TLS certificate tampering. Attackers with specific privileges can craft TLS certificates to hijack active sessions and access underlying services. This affects organizations using Boundary for secure remote access.

💻 Affected Systems

Products:

Boundary
Boundary Enterprise

Versions: All versions prior to 0.15.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have enumeration privileges, access to private keys, and valid TOFU tokens.

📦 What is this software?

Boundary by Hashicorp

View all CVEs affecting Boundary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of remote access infrastructure, allowing attackers to access all connected backend systems and sensitive data through hijacked sessions.

🟠

Likely Case

Targeted session hijacking leading to unauthorized access to specific backend applications or systems accessible through Boundary.

🟢

If Mitigated

Limited impact due to proper privilege separation, certificate validation, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires multiple privilege levels and specific conditions, making it moderately complex.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.15.2

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458

Restart Required: Yes

Instructions:

1. Download Boundary version 0.15.2 or later. 2. Stop Boundary services. 3. Replace binary with patched version. 4. Restart Boundary services. 5. Verify successful upgrade.

🔧 Temporary Workarounds

Restrict Session Enumeration

all

Limit which users can enumerate active sessions to reduce attack surface.

boundary scopes update -scope-id=<scope_id> -authorized-actions=read

Implement Certificate Pinning

all

Use certificate pinning to prevent TOFU token misuse.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Boundary infrastructure
Enforce least privilege access controls and audit all session enumeration activities

🔍 How to Verify

Check if Vulnerable:

Check Boundary version: boundary version

Check Version:

boundary version

Verify Fix Applied:

Verify version is 0.15.2 or later: boundary version | grep -E '0\.15\.[2-9]|0\.1[6-9]|1\.[0-9]'

📡 Detection & Monitoring

Log Indicators:

Multiple failed session authentication attempts
Unusual session enumeration patterns
Certificate validation errors

Network Indicators:

Unexpected TLS certificate changes during active sessions
Suspicious certificate authority modifications

SIEM Query:

source="boundary" AND (event="session_hijack" OR event="certificate_tampering")

📊 Metadata

CVE ID: CVE-2024-1052

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-295

Published: February 5, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1052, you might also want to check these: