Researchers Uncover RCE Attack Chains in HashiCorp Vault and CyberArk Conjur
17 days ago
- #vulnerabilities
- #cybersecurity
- #credential-management
- Researchers discovered 14 logic flaws in HashiCorp Vault and CyberArk Conjur, two open-source credential management systems.
- The vulnerabilities allowed bypassing authentication, accessing secrets, impersonating identities, and executing arbitrary code.
- Non-human identities in enterprises outnumber human identities 150 to 1, making credential management systems critical.
- Cyata researchers presented findings at Black Hat USA, detailing RCE attack chains in both products.
- CyberArk Conjur's AWS IAM validation flaw allowed attackers to control hostnames and bypass authentication.
- Conjur's policy enforcement gaps enabled attackers to mint new hosts and execute arbitrary ERB code.
- HashiCorp Vault had nine vulnerabilities, including the first RCE flaw in its 10-year history.
- Vault's authentication methods (userpass, LDAP, TLS certificates) had lockout bypasses and MFA circumvention issues.
- A critical flaw in Vault's logging system allowed arbitrary code execution via plugin manipulation.
- Both vendors have patched the vulnerabilities, with CyberArk issuing five CVEs and HashiCorp releasing security bulletins.