CVE-2023-3462 Overview
HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP authentication method. An attacker may submit requests for existent and non-existent LDAP users and observe the response from Vault to determine if the account is valid on the LDAP server. This information disclosure vulnerability allows attackers to enumerate valid usernames, which can be leveraged for subsequent attacks such as password spraying or targeted phishing campaigns.
Critical Impact
Attackers can enumerate valid LDAP user accounts through observable response differences, enabling reconnaissance for credential-based attacks against HashiCorp Vault deployments.
Affected Products
- HashiCorp Vault (all versions prior to 1.13.5)
- HashiCorp Vault Enterprise (all versions prior to 1.13.5)
- HashiCorp Vault 1.14.0 (both Community and Enterprise editions)
Discovery Timeline
- 2023-07-31 - CVE-2023-3462 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-3462
Vulnerability Analysis
This vulnerability falls under CWE-203 (Observable Discrepancy), where the application exposes sensitive information through differences in behavior or response characteristics. When LDAP authentication is configured in Vault, the system produces distinguishable responses when processing authentication requests for valid versus invalid usernames.
The attack is network-accessible, requires no authentication or user interaction, and has low complexity to execute. While the vulnerability does not directly compromise confidentiality of stored secrets or system integrity, it exposes information about valid user accounts that exists within the connected LDAP directory.
Root Cause
The root cause lies in the LDAP authentication method's response handling logic. When an attacker submits authentication requests, Vault returns different response patterns depending on whether the username exists in the LDAP directory. These observable differences—which may include variations in error messages, response timing, or HTTP status codes—allow attackers to distinguish between valid and invalid accounts without needing valid credentials.
Attack Vector
The attack is conducted over the network against Vault's authentication endpoint. An attacker systematically submits authentication requests using a list of potential usernames. By analyzing the responses, the attacker can build a list of valid LDAP accounts. This enumerated user list can then be used for:
- Password spraying attacks against the Vault LDAP auth endpoint
- Credential stuffing using leaked password databases
- Social engineering campaigns targeting identified users
- Lateral movement attempts within the organization
The attack requires no prior authentication and can be automated to enumerate large user lists quickly.
Detection Methods for CVE-2023-3462
Indicators of Compromise
- High volume of failed authentication attempts against the LDAP auth method from single or distributed IP addresses
- Sequential or dictionary-based username patterns in authentication logs
- Unusually rapid authentication requests suggesting automated enumeration
- Authentication attempts using usernames not typically associated with Vault access
Detection Strategies
- Monitor Vault audit logs for patterns of repeated authentication failures with different usernames from the same source
- Implement rate limiting detection to identify high-frequency authentication attempts
- Correlate Vault authentication logs with LDAP server logs to identify enumeration patterns
- Deploy network-based detection for high volumes of traffic to the /v1/auth/ldap/login/ endpoint
Monitoring Recommendations
- Enable and centralize Vault audit logging to capture all authentication events
- Configure alerting thresholds for authentication failure rates that exceed normal baselines
- Implement SIEM rules to correlate authentication patterns across multiple security data sources
- Monitor for reconnaissance activity preceding credential-based attacks against Vault
How to Mitigate CVE-2023-3462
Immediate Actions Required
- Upgrade HashiCorp Vault to version 1.14.1 or later
- Upgrade HashiCorp Vault to version 1.13.5 or later if on the 1.13.x branch
- Review audit logs for signs of prior user enumeration attempts
- Implement network-level rate limiting on Vault authentication endpoints
Patch Information
HashiCorp has addressed this vulnerability in Vault versions 1.14.1 and 1.13.5. The fix normalizes the authentication response behavior to prevent attackers from distinguishing between valid and invalid usernames. Organizations should upgrade to these patched versions as soon as possible. For detailed information, refer to the HashiCorp Security Advisory HCSEC-2023-24.
Workarounds
- Implement network-level controls to restrict access to Vault's LDAP authentication endpoint to trusted networks only
- Deploy a Web Application Firewall (WAF) or API gateway with rate limiting capabilities in front of Vault
- Consider using alternative authentication methods such as OIDC or JWT tokens if LDAP enumeration risk is unacceptable
- Implement account lockout policies on the LDAP server to slow enumeration attempts
# Configuration example - Rate limiting using HAProxy in front of Vault
frontend vault_frontend
bind *:8200
# Limit to 10 requests per second per IP for LDAP auth endpoint
stick-table type ip size 100k expire 30s store http_req_rate(10s)
acl ldap_auth path_beg /v1/auth/ldap/login
http-request track-sc0 src if ldap_auth
http-request deny deny_status 429 if ldap_auth { sc_http_req_rate(0) gt 100 }
default_backend vault_backend
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
