BIT-vault-2023-25000
Malicious Package vulnerability in vault (Go)
What is BIT-vault-2023-25000 About?
This package is a malicious NPM package compromised by the 'Shai-Hulud NPM worm' that steals tokens and credentials. Any system where this package is installed should be considered fully compromised. Exploitation is automatic upon installation.
Affected Software
- github.com/hashicorp/vault
- >1.12.0, <1.12.5
- <1.11.9
- >1.13.0, <1.13.1
Technical Details
This vulnerability is a supply chain compromise where the NPM package in question has been injected with malicious code, becoming part of the 'Shai-Hulud NPM worm' campaign. Upon installation, a malicious payload is automatically executed. This payload is engineered to systematically search for and extract sensitive data including tokens and credentials (e.g., npm, GitHub, AWS, GCP access tokens) from the compromised system. Furthermore, it automates the process of publishing these stolen items to external repositories (like GitHub) and then attempts to propagate itself by publishing new versions to other NPM packages that the compromised user owns. The primary attack vector is the unsuspecting installation of this compromised package, which immediately triggers the execution of the credential-stealing and self-propagating malware.
What is the Impact of BIT-vault-2023-25000?
Successful exploitation leads to complete compromise of the affected system, theft of all stored tokens and credentials, and the potential for a wider spread of the malicious software through the victim's other NPM packages.
What is the Exploitability of BIT-vault-2023-25000?
Exploitation of this vulnerability is very simple, as it is a drive-by compromise activated merely by installing the malicious package. The complexity level is minimal, requiring only the execution of an npm install command. No authentication is explicitly required, as the installation process itself is the trigger. Privilege requirements are those of the user or process executing the package installation. This is a local execution vulnerability, immediately followed by remote exfiltration of stolen data and potential remote propagation of the malware. There are no special conditions other than the act of installing the compromised package. The risk of exploitation is exceptionally high for any developer or automated build system that installs this package, leading to immediate and severe consequences.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2023-25000?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.11.9 → Upgrade to 1.11.9
- github.com/hashicorp/vault
- >1.12.0, <1.12.5 → Upgrade to 1.12.5
- github.com/hashicorp/vault
- >1.13.0, <1.13.1 → Upgrade to 1.13.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-vq4h-9ghm-qmrr
- https://github.com/hashicorp/vault
- https://github.com/hashicorp/vault/pull/19495
- https://security.netapp.com/advisory/ntap-20230526-0008
- https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078
- https://nvd.nist.gov/vuln/detail/CVE-2023-25000
- https://security.netapp.com/advisory/ntap-20230526-0008/
- https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078
What are Similar Vulnerabilities to BIT-vault-2023-25000?
Similar Vulnerabilities: CVE-2023-38408 , CVE-2022-36056 , CVE-2021-23368 , CVE-2020-15160 , CVE-2019-12378
