CVE-2023-25000 - OpenCVE

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hashicorp	Vault

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*
	cpe:2.3:a:hashicorp:vault:::::-:::*
	cpe:2.3:a:hashicorp:vault:::::enterprise:::*

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078	Issue Tracking Patch Vendor Advisory
https://security.netapp.com/advisory/ntap-20230526-0008/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HashiCorp

Published: 2023-03-30T00:17:46.230Z

Updated: 2023-03-30T00:24:51.132Z

Reserved: 2023-02-01T17:54:13.893Z

Link: CVE-2023-25000

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-30T01:15:07.493

Modified: 2023-05-26T20:15:36.290

Link: CVE-2023-25000

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-25000", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2023-02-01T17:54:13.893Z", "datePublished": "2023-03-30T00:17:46.230Z", "dateUpdated": "2023-03-30T00:24:51.132Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2023-03-30T00:24:51.132Z"}, "title": "Vault Vulnerable to Cache-Timing Attacks During Seal and Unseal Operations", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-204", "descriptions": [{"lang": "en", "value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"}]}], "affected": [{"vendor": "HashiCorp", "product": "Vault", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "repo": "https://github.com/hashicorp/vault", "versions": [{"status": "affected", "version": "1.13.0", "lessThan": "1.13.1", "versionType": "semver"}, {"status": "affected", "version": "1.12.0", "lessThan": "1.12.5", "versionType": "semver"}, {"status": "affected", "version": "1.11.0", "lessThan": "1.11.9", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "1.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Vault Enterprise", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "versions": [{"status": "affected", "version": "1.13.0", "lessThan": "1.13.1", "versionType": "semver"}, {"status": "affected", "version": "1.12.0", "lessThan": "1.12.5", "versionType": "semver"}, {"status": "affected", "version": "1.11.0", "lessThan": "1.11.9", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "1.11.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9."}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078"}, {"url": "https://security.netapp.com/advisory/ntap-20230526-0008/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Giuseppe Cocomazzi", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"advisory": "HCSEC-2023-10", "discovery": "EXTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "2C565DBD-95F4-4951-A029-93ABE5315740", "versionEndExcluding": "1.11.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "80EB9F32-09A4-469C-AF76-1AE3137EAC1B", "versionEndExcluding": "1.11.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "446F872F-F64C-44CA-85BC-144FCFBCFA8B", "versionEndExcluding": "1.12.5", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "71A02FE6-C8D4-455D-A71A-C8353E1ECB7C", "versionEndExcluding": "1.12.5", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*", "matchCriteriaId": "81280166-3DF7-4867-95E9-A7AFB9A12CE7", "versionEndExcluding": "1.13.1", "versionStartIncluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C56E203C-1E18-4395-B500-B6EA695B16C0", "versionEndExcluding": "1.13.1", "versionStartIncluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9."}], "id": "CVE-2023-25000", "lastModified": "2023-05-26T20:15:36.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 4.0, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2023-03-30T01:15:07.493", "references": [{"source": "security@hashicorp.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078"}, {"source": "security@hashicorp.com", "url": "https://security.netapp.com/advisory/ntap-20230526-0008/"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-208"}], "source": "security@hashicorp.com", "type": "Secondary"}]}