CVE-2022-41316
Incomplete Revocation Check vulnerability in vault (Go)
What is CVE-2022-41316 About?
HashiCorp Vault and Vault Enterprise's TLS certificate authentication method had a flaw where Certificate Revocation Lists (CRLs) were not loaded into memory on startup. This could allow revoked certificates to be used for authentication until the CRL was subsequently retrieved. The impact is a bypass of certificate revocation, making exploitation possible for an attacker with a revoked certificate.
Affected Software
- github.com/hashicorp/vault
- <1.9.10
- >1.11.0, <1.11.4
- >1.10.0, <1.10.7
Technical Details
The HashiCorp Vault TLS certificate authentication method, in versions prior to 1.12.0 (and respective patch versions), failed to initially load the optionally configured Certificate Revocation List (CRL) issued by the role's Certificate Authority (CA) into memory upon startup. This meant that immediately after a Vault instance started or restarted, it would not have an up-to-date revocation list. Consequently, any revoked TLS client certificates presented for authentication during this initial period (before the first successful CRL retrieval) would be accepted as valid. An attacker possessing a revoked certificate could exploit this window of vulnerability to authenticate to Vault and gain unauthorized access to secrets until the CRL was eventually loaded and enforced.
What is the Impact of CVE-2022-41316?
Successful exploitation may allow attackers using revoked TLS certificates to bypass authentication and gain unauthorized access to Vault secrets and resources, compromising sensitive data and system integrity.
What is the Exploitability of CVE-2022-41316?
Exploitation of this vulnerability has a moderate complexity. The primary prerequisite is an attacker having possession of a valid client TLS certificate that has subsequently been revoked. Authentication via the TLS certificate auth method is required. No special privileges are needed beyond holding the revoked certificate. Access would typically be remote, as Vault is often accessed over the network. The special condition is timing: the attack must occur after a Vault restart and before the Vault instance successfully fetches and loads the CRL. This creates a specific window of opportunity. The likelihood of exploitation increases if revoked certificates are not meticulously tracked or destroyed, and if Vault instances are frequently restarted, creating more such windows.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41316?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.9.10 → Upgrade to 1.9.10
- github.com/hashicorp/vault
- >1.10.0, <1.10.7 → Upgrade to 1.10.7
- github.com/hashicorp/vault
- >1.11.0, <1.11.4 → Upgrade to 1.11.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20221201-0001
- https://security.netapp.com/advisory/ntap-20221201-0001/
- https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483
- https://nvd.nist.gov/vuln/detail/CVE-2022-41316
- https://discuss.hashicorp.com
- https://github.com/advisories/GHSA-9mh8-9j64-443f
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com
- https://osv.dev/vulnerability/GO-2023-1897
- https://discuss.hashicorp.com/t/hcsec-2022-24-vaults-tls-cert-auth-method-only-loaded-crl-after-first-request/45483
What are Similar Vulnerabilities to CVE-2022-41316?
Similar Vulnerabilities: CVE-2025-6013 , CVE-2020-25658 , CVE-2020-25659 , CVE-2020-25660 , CVE-2020-25661
