CVE-2025-13357
📋 TL;DR
The Vault Terraform Provider incorrectly set the deny_null_bind parameter to false by default for LDAP authentication, potentially allowing authentication bypass if the LDAP server permits anonymous binds. This affects organizations using HashiCorp Vault with LDAP authentication configured via Terraform. Attackers could gain unauthorized access to Vault secrets.
💻 Affected Systems
- HashiCorp Vault Terraform Provider
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass leading to full compromise of Vault secrets, including credentials, certificates, and sensitive data.
Likely Case
Limited authentication bypass for users with weak LDAP configurations, potentially exposing some secrets.
If Mitigated
No impact if LDAP server properly rejects anonymous binds or if deny_null_bind is explicitly set to true.
🎯 Exploit Status
Exploitation requires LDAP server misconfiguration allowing anonymous binds; trivial to exploit if conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.5.0
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822
Restart Required: No
Instructions:
1. Update Terraform configuration to use provider version >=5.5.0. 2. Run 'terraform init -upgrade'. 3. Apply configuration changes with 'terraform apply'.
🔧 Temporary Workarounds
Explicitly set deny_null_bind parameter
allManually configure deny_null_bind to true in Terraform LDAP auth method configuration.
In Terraform configuration, add: deny_null_bind = true to LDAP auth method resource.
🧯 If You Can't Patch
- Configure LDAP server to reject anonymous binds (set 'disallow simple bind with anonymous' or equivalent).
- Monitor Vault authentication logs for unusual LDAP bind attempts.
🔍 How to Verify
Check if Vulnerable:
Check Terraform configuration for Vault provider version <5.5.0 and LDAP auth method without explicit deny_null_bind setting.Check Version:
terraform versionVerify Fix Applied:
Confirm provider version is >=5.5.0 via 'terraform version' and verify deny_null_bind is set to true in configuration.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from null bind requests in Vault audit logs.
- Successful authentication from unexpected null bind sources.
Network Indicators:
- LDAP bind requests without credentials from Vault servers.
SIEM Query:
source="vault" AND (event_type="auth" OR event_type="login") AND ldap_bind_method="anonymous"