Apr 12, 2023

RCE through SQL Injection Vulnerability in Hashicorp's Vault

Daniel Abeles
Head of Research
Gal Goldstein
Security Researcher

Introduction

Oxeye's Application Security Platform automatically discovered a 0-day vulnerability in Hashicorp Vault immediately after a deployment at a technology company.

Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack.

We reported this vulnerability to Hashicorp, and the team quickly patched it in versions 1.13.1, 1.12.5, and 1.11.9 of Vault, as stated in their security bulletin. Hashicorp has issued CVE-2023-0620 for this vulnerability.

Potential vulnerability impact – a threat actor can execute arbitrary system commands on a Vault application by exploiting a SQL injection attack in the database connection handler.

In addition to the patch, Hashicorp also updated its security model to ensure that Vault configuration files and storage backends are appropriately secured, as described in Vault’s production hardening guidelines.

Details

The vulnerability exists in how Vault handles SQL queries when interacting with its backend database. Attackers can exploit this vulnerability by injecting malicious SQL statements into the configuration parameters Vault loads at startup. The attacker can run arbitrary SQL queries on the target database if successful.

When attackers have “write” access to that configuration, they can exploit it by injecting malicious SQL statements into the configuration file.

The vulnerability affects Vault versions up to 1.13.0, 1.12.4, and 1.11.8. The Hashicorp team has released a patch for this vulnerability, and users are advised to update their installations immediately.

Vault uses the storage stanza to configure the storage backend, representing the location for the durable storage of Vault's information. One of the possible storage configurations is the MSSQL database; the MSSQL database configuration allows the user to set the following parameters:

Following are the descriptions for relevant fields for the exploit:

  • Database – specifies the name of the database. If the database does not exist, Vault will attempt to create it.
  • Table - specifies the table's name. If the table does not exist, Vault will attempt to create it.
  • Schema - specifies the schema's name. If the schema does not exist, Vault will attempt to create it.

Those configuration fields are concatenated directly into an MSSQL query when the database is set up. This is a problem as they are not sanitized; this allows configuring a malicious payload to be inserted as part of those variable names, which could eventually lead to changes inside the database.

Here is an excerpt of the vulnerable code:

Escalating the SQLi to RCE

To escalate the SQL injection to a remote code execution attack, the attacker must use the SQL injection vulnerability to run commands on the backend database server. In our case, the vulnerability exists within the MSSQL database handler. In MSSQL backends, in some conditions, depending on the configurations and the DB user privileges, attackers can use the "xp_cmdshell" stored procedure to execute operating system commands.

The attacker can run the following SQL statement to enable "xp_cmdshell" on the MSSQL server:

Once "xp_cmdshell" is enabled, the attacker can run operating system commands using the following SQL statement:

With this technique, the attacker can run arbitrary code on the target system with the privileges of the MSSQL service account, which may have elevated privileges.

Implications of the Vulnerability

The RCE through SQL injection vulnerability in Hashicorp's Vault project threatens the security and integrity of sensitive information stored in Vault, mainly due to the nature of the project, which is to hold secrets. Attackers can use this vulnerability to access sensitive data, modify or delete it, and run malicious code on the target system.

Organizations that use Hashicorp's Vault in their infrastructure should prioritize patching their installations and review their security policies to prevent similar vulnerabilities from being exploited in the future.

The most dangerous scenario is where the attacker has READ/WRITE access to the configuration, which can reside on external storage (e.g., AWS SSM). The attacker could modify the config file to gain remote code execution within the service hosting the database (which could be initially inaccessible to the attacker), resulting in the attacker being able to move into the victim's internal network laterally.

We eat our own dog food

As a security-focused organization, we believe practicing what we preach is essential. Not only did we discover this vulnerability during one of our routine product scans, it was found automatically by our brand new compiled Go binary scanning engine! This binary scanning engine allows our customers to detect vulnerabilities without requiring access to code repos, which helps improve security while providing the benefit of running security tests much closer to production. 

Help us continue to improve Go security!

Late last year, we published a vulnerability that we discovered in Go. As part of our ongoing effort to make Go more secure, we’re working on gathering data for the 2023 edition of the Annual Oxeye Golang Security Report. Our research team uses the Oxeye platform to automatically scan commonly-used Golang open-source projects for vulnerabilities, but we are always looking for ways to expand the data set. If you’d like to participate in this research by allowing us to scan your Go applications, we’d love to hear from you! In addition to contributing to greater security, you’ll get a free scan from the first cloud-native specific application security testing solution, and the first Go binary scanning engine for application security. You'll also be able to enjoy peace of mind knowing that we can find vulnerabilities in your third party components, since Oxeye doesn't need access to the code repos. Contact us and indicate in the message section that you’re interested in participating, and we’ll reach out to you to schedule a conversation.

Conclusion

Configuration-based attacks like those in Hashicorp's Vault will become more common, given the trend towards microservices in modern software development. The centralized nature of configurations makes them a single point of truth and a lucrative target for threat actors. As such, organizations should prioritize the security of configuration files and other centralized components.

This vulnerability in Hashicorp's Vault project underscores the importance of limiting access to sensitive tools and enforcing proper input validation to prevent SQL injection attacks. The consequences of a successful attack on Vault can be severe, and prevention is vital to maintaining the integrity and confidentiality of sensitive information. Organizations that use Hashicorp's Vault should take immediate action to patch their installations and ensure that their security policies are up-to-date.

April 12, 2023

RCE through SQL Injection Vulnerability in Hashicorp's Vault

Daniel Abeles
Head of Research
Gal Goldstein
Security Researcher

Introduction

Oxeye's Application Security Platform automatically discovered a 0-day vulnerability in Hashicorp Vault immediately after a deployment at a technology company.

Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack.

We reported this vulnerability to Hashicorp, and the team quickly patched it in versions 1.13.1, 1.12.5, and 1.11.9 of Vault, as stated in their security bulletin. Hashicorp has issued CVE-2023-0620 for this vulnerability.

Potential vulnerability impact – a threat actor can execute arbitrary system commands on a Vault application by exploiting a SQL injection attack in the database connection handler.

In addition to the patch, Hashicorp also updated its security model to ensure that Vault configuration files and storage backends are appropriately secured, as described in Vault’s production hardening guidelines.

Details

The vulnerability exists in how Vault handles SQL queries when interacting with its backend database. Attackers can exploit this vulnerability by injecting malicious SQL statements into the configuration parameters Vault loads at startup. The attacker can run arbitrary SQL queries on the target database if successful.

When attackers have “write” access to that configuration, they can exploit it by injecting malicious SQL statements into the configuration file.

The vulnerability affects Vault versions up to 1.13.0, 1.12.4, and 1.11.8. The Hashicorp team has released a patch for this vulnerability, and users are advised to update their installations immediately.

Vault uses the storage stanza to configure the storage backend, representing the location for the durable storage of Vault's information. One of the possible storage configurations is the MSSQL database; the MSSQL database configuration allows the user to set the following parameters:

Following are the descriptions for relevant fields for the exploit:

  • Database – specifies the name of the database. If the database does not exist, Vault will attempt to create it.
  • Table - specifies the table's name. If the table does not exist, Vault will attempt to create it.
  • Schema - specifies the schema's name. If the schema does not exist, Vault will attempt to create it.

Those configuration fields are concatenated directly into an MSSQL query when the database is set up. This is a problem as they are not sanitized; this allows configuring a malicious payload to be inserted as part of those variable names, which could eventually lead to changes inside the database.

Here is an excerpt of the vulnerable code:

Escalating the SQLi to RCE

To escalate the SQL injection to a remote code execution attack, the attacker must use the SQL injection vulnerability to run commands on the backend database server. In our case, the vulnerability exists within the MSSQL database handler. In MSSQL backends, in some conditions, depending on the configurations and the DB user privileges, attackers can use the "xp_cmdshell" stored procedure to execute operating system commands.

The attacker can run the following SQL statement to enable "xp_cmdshell" on the MSSQL server:

Once "xp_cmdshell" is enabled, the attacker can run operating system commands using the following SQL statement:

With this technique, the attacker can run arbitrary code on the target system with the privileges of the MSSQL service account, which may have elevated privileges.

Implications of the Vulnerability

The RCE through SQL injection vulnerability in Hashicorp's Vault project threatens the security and integrity of sensitive information stored in Vault, mainly due to the nature of the project, which is to hold secrets. Attackers can use this vulnerability to access sensitive data, modify or delete it, and run malicious code on the target system.

Organizations that use Hashicorp's Vault in their infrastructure should prioritize patching their installations and review their security policies to prevent similar vulnerabilities from being exploited in the future.

The most dangerous scenario is where the attacker has READ/WRITE access to the configuration, which can reside on external storage (e.g., AWS SSM). The attacker could modify the config file to gain remote code execution within the service hosting the database (which could be initially inaccessible to the attacker), resulting in the attacker being able to move into the victim's internal network laterally.

We eat our own dog food

As a security-focused organization, we believe practicing what we preach is essential. Not only did we discover this vulnerability during one of our routine product scans, it was found automatically by our brand new compiled Go binary scanning engine! This binary scanning engine allows our customers to detect vulnerabilities without requiring access to code repos, which helps improve security while providing the benefit of running security tests much closer to production. 

Help us continue to improve Go security!

Late last year, we published a vulnerability that we discovered in Go. As part of our ongoing effort to make Go more secure, we’re working on gathering data for the 2023 edition of the Annual Oxeye Golang Security Report. Our research team uses the Oxeye platform to automatically scan commonly-used Golang open-source projects for vulnerabilities, but we are always looking for ways to expand the data set. If you’d like to participate in this research by allowing us to scan your Go applications, we’d love to hear from you! In addition to contributing to greater security, you’ll get a free scan from the first cloud-native specific application security testing solution, and the first Go binary scanning engine for application security. You'll also be able to enjoy peace of mind knowing that we can find vulnerabilities in your third party components, since Oxeye doesn't need access to the code repos. Contact us and indicate in the message section that you’re interested in participating, and we’ll reach out to you to schedule a conversation.

Conclusion

Configuration-based attacks like those in Hashicorp's Vault will become more common, given the trend towards microservices in modern software development. The centralized nature of configurations makes them a single point of truth and a lucrative target for threat actors. As such, organizations should prioritize the security of configuration files and other centralized components.

This vulnerability in Hashicorp's Vault project underscores the importance of limiting access to sensitive tools and enforcing proper input validation to prevent SQL injection attacks. The consequences of a successful attack on Vault can be severe, and prevention is vital to maintaining the integrity and confidentiality of sensitive information. Organizations that use Hashicorp's Vault should take immediate action to patch their installations and ensure that their security policies are up-to-date.

This is some text inside of a div block.
This is some text inside of a div block.

Want to see what it looks like?