So maybe one step down in severity, though I do not know the details of what HCSEC-2024-05 was fixed with as that was after the fork point. OpenBao moved to full cert pinning (constant-time cert.Raw comparisons) when remediating that one, which meant we were not affected by this variant.
OpenBao, under the Linux Foundation's OpenSSF, is making meaningful improvements to the code. I'd love to have high-quality reports, if you're willing to re-visit these. :-)
We had earlier pulled support for pre-Vault-1.0 userpass pre-bcrypt hashing (so there's no longer a timing difference there that could be used for enumeration) and using cache busting on lookup should also ensure consistency across storage layers. Plus, normalizing the remaining error messages through when the user's credential is fully validated as correct.
But, the short answer why I say _reasonably_ sure is because HashiCorp and the OP haven't released a lot of details about exactly what case(s) are affected, so there's only so much we can do except look at our own code and infer what we can and make an educated guess.
So, barring some structural problem I'm not immediately aware of, I have reasonably high confidence based on discussions amongst the community members.
Why do you care? This is not a very meaningful vulnerability --- it's a side channel user enumeration. Even direct user enumeration is a sev:info finding.
On behalf of the OpenBao project, I welcome collaboration with future researchers. We were not informed of these vulnerabilities before HashiCorp posted their usual CVE bulletins, which is disappointing. (Especially as HashiCorp's Vault no longer has an Open Source edition ;-)
We've triaged as being affected by 8 of the 9 CVEs (in fixing an earlier Cert Auth vulnerability, we correctly remediated this one) and have merged patches for most of them.
Happily, the community has done some great work on remediating these and I'm very appreciative of them.
I'm most excited about the audit changes: this was the impetus needed to make them be configuration driven in the next release series. Leaving audit device (which, as a reminder, have a socket mode which can make arbitrary TCP calls!) open to API callers is rather unsafe, even with prefix being limited.
(Edit: And of course it goes without saying, but we're more than happy to accept contributions to the community -- code, docs, technical, or otherwise!)
Somebody has to say this so I guess I'll take the hit: part of the cost of an unsanctioned fork of a large project is that you're not going to be in the embargo list. Even with a large base of developers and users, the mechanics of a community-driven open source project can make people gun-shy about pre-disclosing.
Over the long term, increasing prominence of your project will probably get you most disclosures directly, because vulnerability researchers are incentivized to confirm big targets for findings. But in the short term, I don't think this complaint about HashiCorp is based in any real norm of vulnerability disclosure.
I'll bite ;-) Appreciate your replies as always tptacek!
It is a fair criticism. But I think two things give us an advantage here:
1. IBM started this fork and later bought HashiCorp, with the acquisition having fully completed. I've broached the subject with both sides post-acquisition but got only a negative response from the HashiCorp side and no response from IBM. We are very much a known entity to the teams that matter inside IBM. And I'd posit within HashiCorp as well given I came out of their Vault Crypto team. ;-)
Whether IBM wishes to cooperate is a different matter. Mentioning again, publicly, doesn't hurt and hopefully raises awareness to researchers (such as yourself!).
2. The Linux Foundation's OpenSSF (our umbrella foundation) has a reputation which we try our best to uphold. Obviously they'd be rightfully upset if we shared pre-disclosure vulnerabilities widely. So we won't and don't. Certainly the broader Linux distribution security list is a positive model in this regard.
If this were J. Doe's pet fork of $CRITICAL_SOFTWARE, 100% agree. But the fork is neither new nor lacking in reputation of its component/parent entities, so I'd hope researchers give us the same consideration they would any other of LF's forks (Valkey, OpenSearch, OpenTofu, ...).
But that said, I've personally disclosed vulnerabilities post-fork to HashiCorp and have mentioned to them that I have stopped future disclosures without a further agreement. This just leads to a two-party zero-day vulnerability race, which is not in anyone's best interest.
These are all points well taken. I'd just say, don't look for any kind of coherent fairness in vulnerability embargo lists. Certainly, if you're a fork that the upstream doesn't want to exist, I don't think there's any norm that you'll automatically be included. I'm irritated about a number of embargo lists myself, but if the vulnerability researchers wanted to include me, they could, regardless of what IBM thought.
As someone who is actively migrating from HCP Vault Dedicated to self-hosted OpenBao, thanks for this update. Any CVE issues worth tracking / linking here?
Since HashiCorp and OP did not opt to disclose to OpenBao, the most authoritative source right now is HashiCorp's security tracker, linked down-thread: https://news.ycombinator.com/item?id=44821779
While I'm sure Vault contracts run more than what I'd care to know, the project is set up under the Linux Foundation and I've been told in the past that we as a project are capable of receiving direct donations.
If you're so inclined, please do!
We'd of course be appreciative of it, but that said, the OpenBao TSC had tabled conversations about just what we'd spend any funds on until after we moved into the OpenSSF... Which just concluded which means it might be time to get things moving again. But just to say, we may not immediately know what we'd spend any donations on. :-)
(Alternatively, hiring and retaining a maintainer or a firm working on it would also be good options. Part of the growth requirements of OpenSSF projects is to have more than a handful of companies on project leadership so increasing diversity is a key goal.)
Yes, implemented from scratch by the community but (mostly--barring one reported issue) the same functionality and behavior. Not storage-level compatible, we (likely?) made different storage layout decisions that I'm rather hopeful will set us up nicely for future technical improvements above and beyond Vault Enterprise.
Horizontal scalability and disaster recovery is one of the next larger features on our mind. We won't use the architecture of Performance Secondaries, and likely will transparently upgrade (existing) Standby nodes to become read-scalable. Local storage is interesting, but brings with it additional complexity that few need. Better to use namespaces with distinct storage backends (distributing active across all nodes in a cluster) to scale writes horizontally across different namespaces before looking at horizontal scalability of a single mount (which is all that local storage gives you -- it doesn't give you write scalability across namespaces).
Also on that list is external key support, similar to managed keys from Vault Enterprise, but with different configuration semantics: https://github.com/openbao/openbao/pull/1320
We currently have no plans for implementing some of the enterprise secrets bcakends (KMIP, Transform/Tokenization, KMSE, ...) though of course would be welcoming to these as well. Sync is another area that is not in the cards for the short-term.
In terms of differentiation, we have a lot of unique RFCs in-flight that I presume are not on Vault Enterprise's immediate roadmap:
Feel free to reach out if you want to discuss more or contribute in any way -- we welcome more than just code contributions, there's many ways one can help. :-)
It is a secrets manager; I think it's a fair question.
Very few individuals will want to run them, the reality is they're mostly for businesses to consume. Businesses need maintenance reliability and continuity plans and that's why I've been pushing on the project's governance aspects for a while.
We're not the next TikTok or JS framework so there'll be no flash point of popularity. Just have to put in the work and see where it goes. :-)
So maybe one step down in severity, though I do not know the details of what HCSEC-2024-05 was fixed with as that was after the fork point. OpenBao moved to full cert pinning (constant-time cert.Raw comparisons) when remediating that one, which meant we were not affected by this variant.