CVE-2024-9180
📋 TL;DR
This vulnerability allows a Vault operator with write permissions to the root namespace's identity endpoint to escalate their own or another user's privileges to Vault's root policy. This affects HashiCorp Vault deployments where operators have these specific permissions. The vulnerability enables privilege escalation within Vault's access control system.
💻 Affected Systems
- HashiCorp Vault Community Edition
- HashiCorp Vault Enterprise
📦 What is this software?
Openbao by Openbao
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
An attacker with initial operator access could gain full root privileges, compromising all secrets and administrative functions in the Vault deployment.
Likely Case
Malicious or compromised operators could elevate their privileges to access sensitive secrets they shouldn't have access to.
If Mitigated
With proper access controls limiting root namespace identity endpoint permissions, the attack surface is significantly reduced.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is in the identity endpoint logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault Community Edition 1.18.0, Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565
Restart Required: Yes
Instructions:
1. Backup your Vault configuration and data. 2. Download the patched version from HashiCorp's official releases. 3. Stop the Vault service. 4. Replace the Vault binary with the patched version. 5. Restart the Vault service. 6. Verify the version and functionality.
🔧 Temporary Workarounds
Restrict root namespace identity endpoint permissions
allRemove write permissions to the root namespace's identity endpoint from all operators who don't absolutely need them.
vault policy write restricted-policy restricted-policy.hcl
🧯 If You Can't Patch
- Review and restrict all operator permissions to the root namespace's identity endpoint
- Implement additional monitoring and alerting for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Vault version is older than the patched versions and if any operators have write permissions to the root namespace's identity endpoint.Check Version:
vault versionVerify Fix Applied:
Verify the Vault version is 1.18.0 or higher, or one of the specific patched enterprise versions, and test that privilege escalation attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthorized privilege escalation attempts
- Unexpected policy assignments to root namespace
Network Indicators:
- Unusual API calls to identity endpoint with privilege escalation patterns
SIEM Query:
source="vault" AND ("identity/entity" OR "identity/alias") AND "root" AND ("write" OR "update")