CVE-2024-2048
Privilege Escalation vulnerability in vault (Go)
What is CVE-2024-2048 About?
This is a privilege escalation vulnerability in Vault, primarily affecting a privileged operator with write permissions to the root namespace's identity endpoint. Exploitation allows such an operator to escalate their privileges to Vault’s root policy. The complexity of exploitation is low for an already privileged operator.
Affected Software
- github.com/hashicorp/vault
- >1.15.0, <1.15.5
- <1.14.10
Technical Details
The vulnerability concerns a privilege escalation flaw within HashiCorp Vault. A Vault operator who already possesses write permissions to the identity endpoint of the root namespace can leverage this access to elevate their privileges. Specifically, the flaw allows this privileged operator to manipulate the identity system in a way that grants them the capabilities associated with Vault's root policy. This bypasses normal access control mechanisms and provides unrestricted access to all Vault functionalities and secrets. The attack vector involves exploiting the write permissions on the identity endpoint to gain complete administrative control over the Vault instance, effectively becoming a 'root' user.
What is the Impact of CVE-2024-2048?
Successful exploitation may allow attackers to gain full administrative control over the Vault environment, leading to complete compromise of all secrets and data managed by Vault.
What is the Exploitability of CVE-2024-2048?
Exploitation of this vulnerability is relatively low in complexity, given that an attacker must already be a privileged Vault operator. The primary prerequisite is having write permissions to the root namespace’s identity endpoint. Authentication is definitely required, as the attacker must be an authenticated Vault operator. The attack also inherently requires high privileges, specifically the aforementioned write permissions. This is likely a local or authenticated remote vulnerability, meaning the attacker must be able to interact with the Vault API, either from the internal network or via authenticated remote access. There are no other specified special conditions. The risk of exploitation is high as it simplifies lateral movement and privilege escalation for an insider threat or an attacker who has already breached mid-level access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-2048?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.14.10 → Upgrade to 1.14.10
- github.com/hashicorp/vault
- >1.15.0, <1.15.5 → Upgrade to 1.15.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382
- https://nvd.nist.gov/vuln/detail/CVE-2024-2048
- https://github.com/hashicorp/vault
- https://osv.dev/vulnerability/GHSA-r3w7-mfpm-c2vw
- https://security.netapp.com/advisory/ntap-20240524-0009/
- https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382
- https://security.netapp.com/advisory/ntap-20240524-0009
What are Similar Vulnerabilities to CVE-2024-2048?
Similar Vulnerabilities: CVE-2023-28833 , CVE-2022-2468 , CVE-2021-3620 , CVE-2020-10977 , CVE-2019-15878
