CVE-2020-10660
Improper Authorization vulnerability in vault (Go)
What is CVE-2020-10660 About?
Hashicorp Vault fails to verify if an Approle SecretID belongs to its role during a destroy operation. This improper authorization can lead to unauthorized deletion of SecretIDs. Exploitation is specific to the Approle destroy operation and could potentially be used to disrupt access.
Affected Software
Technical Details
This vulnerability exists in Hashicorp Vault (github.com/hashicorp/vault) where it fails to adequately verify ownership or association of an AppRole SecretID during a destroy operation. Specifically, when a request is made to destroy a SecretID, Vault's authorization logic does not properly confirm that the SecretID being destroyed actually belongs to the specified AppRole. This improper authorization check allows an attacker to potentially destroy SecretIDs belonging to other AppRoles, even if they do not have specific permissions for those other roles. The attack vector would involve an authenticated user or process making a destroy request for a SecretID, specifying an AppRole that is not legitimately associated with the SecretID, and the operation succeeding due to the verification bypass.
What is the Impact of CVE-2020-10660?
Successful exploitation may allow attackers to perform unauthorized destruction of AppRole SecretIDs, leading to denial of service for legitimate services or applications relying on those SecretIDs, and disrupting access.
What is the Exploitability of CVE-2020-10660?
Exploitation complexity is medium, requiring an understanding of Vault's AppRole mechanism and its API. Authentication is necessary, as the attacker needs to be an authenticated user within Vault to initiate SecretID destroy operations. This is a remote exploitation scenario if the Vault API is exposed. The key risk factors include relying on AppRoles for critical services where unauthorized SecretID destruction could cause significant operational impact, and imperfect enforcement of object ownership during destructive operations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10660?
Available Upgrade Options
- github.com/hashicorp/vault
- >0.9.0, <1.3.4 → Upgrade to 1.3.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-m979-w9wj-qfj9
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020
- https://www.hashicorp.com/blog/category/vault
- https://github.com/hashicorp/vault/pull/8606
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020
- https://github.com/hashicorp/vault/pull/8606
- https://github.com/hashicorp/vault
- https://www.hashicorp.com/blog/category/vault/
- https://github.com/advisories/GHSA-m979-w9wj-qfj9
- https://nvd.nist.gov/vuln/detail/CVE-2020-10660
What are Similar Vulnerabilities to CVE-2020-10660?
Similar Vulnerabilities: CVE-2022-2468 , CVE-2021-29467 , CVE-2023-29471 , CVE-2022-41407 , CVE-2023-2895
