CVE-2024-8365 Overview
CVE-2024-8365 is an information disclosure vulnerability affecting HashiCorp Vault Community Edition and Vault Enterprise. A regression was introduced that removed the HMAC functionality for sensitive headers in the configured audit device, specifically client tokens and token accessors. This resulted in plaintext values of client tokens and token accessors being stored in the audit log, potentially exposing sensitive authentication credentials to unauthorized parties with access to audit logs.
Critical Impact
Client tokens and token accessors are written in plaintext to audit logs, potentially allowing attackers with audit log access to harvest valid authentication credentials and gain unauthorized access to Vault secrets.
Affected Products
- HashiCorp Vault Community Edition (versions prior to 1.17.5)
- HashiCorp Vault Enterprise (versions prior to 1.17.5)
- HashiCorp Vault Enterprise (versions prior to 1.16.9)
Discovery Timeline
- 2024-09-02 - CVE-2024-8365 published to NVD
- 2024-09-04 - Last updated in NVD database
Technical Details for CVE-2024-8365
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File). The core issue stems from a code regression that inadvertently removed the HMAC (Hash-based Message Authentication Code) protection mechanism that previously obscured sensitive header values in audit logs.
Under normal operation, HashiCorp Vault hashes sensitive information such as client tokens and token accessors before writing them to audit devices. This ensures that even if audit logs are compromised, the actual authentication credentials remain protected. However, due to this regression, the HMAC function was no longer applied to these specific headers, causing them to be written in their original plaintext form.
The vulnerability requires network access and some user interaction to exploit, as an attacker would need to gain access to the audit log storage location. However, the confidentiality impact is significant since exposed tokens could grant full access to Vault secrets.
Root Cause
The root cause of CVE-2024-8365 is a software regression that removed the HMAC transformation applied to client tokens and token accessors before they are written to audit devices. This was likely introduced during code refactoring or feature updates, where the cryptographic protection mechanism was inadvertently bypassed or removed for these specific header fields.
Attack Vector
The attack vector for this vulnerability is network-based. An attacker who gains access to Vault's audit logs—whether through compromised log aggregation systems, insecure log storage, or insider access—can directly extract valid client tokens and token accessors. These credentials can then be used to authenticate to the Vault instance and access stored secrets without requiring additional exploitation.
The attack scenario typically involves:
- Gaining access to systems where Vault audit logs are stored (e.g., SIEM systems, log aggregators, backup systems)
- Searching audit log entries for plaintext client tokens and token accessors
- Using extracted tokens to authenticate to the Vault API
- Accessing secrets and sensitive data stored within Vault
Detection Methods for CVE-2024-8365
Indicators of Compromise
- Presence of plaintext client tokens in audit log files (tokens typically begin with hvs. or s. prefixes)
- Unusual access patterns to Vault audit log storage locations
- Authentication events using tokens that were logged in audit devices
- Unexpected Vault API access from unusual IP addresses or at unusual times
Detection Strategies
- Review audit logs for entries containing plaintext token values instead of HMAC hashes
- Implement monitoring for any access to audit log storage systems
- Enable alerting for Vault authentication events that originate from unexpected sources
- Compare token formats in recent audit logs against historical entries to identify the regression point
Monitoring Recommendations
- Implement file integrity monitoring on audit log directories
- Configure alerts for bulk access or export of audit log data
- Monitor Vault authentication patterns for anomalies following potential token exposure
- Track access to log aggregation systems that receive Vault audit data
How to Mitigate CVE-2024-8365
Immediate Actions Required
- Upgrade HashiCorp Vault Community Edition to version 1.17.5 or later
- Upgrade HashiCorp Vault Enterprise to version 1.17.5 or 1.16.9 or later
- Revoke and rotate all client tokens that may have been logged during the vulnerable period
- Audit access logs for audit log storage systems to identify potential unauthorized access
- Review and restrict permissions to audit log storage locations
Patch Information
HashiCorp has released fixed versions that restore the HMAC functionality for sensitive headers in audit devices. The fix is available in Vault Community Edition 1.17.5 and Vault Enterprise versions 1.17.5 and 1.16.9. Organizations should upgrade to these patched versions immediately. For detailed information, refer to the HashiCorp Security Advisory HCSEC-2024-18.
Workarounds
- Restrict access to audit log storage to essential personnel only
- Implement encryption at rest for audit log storage locations
- Consider temporarily disabling audit logging if the risk of token exposure outweighs audit requirements (not recommended for compliance environments)
- Implement additional network segmentation to isolate audit log storage systems
- Enable audit log forwarding to a secured, access-controlled SIEM system
# Configuration example - Rotate tokens after patching
# List all token accessors
vault list auth/token/accessors
# Revoke tokens that may have been exposed
vault token revoke -accessor <accessor_id>
# Verify audit device is configured correctly after upgrade
vault audit list -detailed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
