CVE-2021-32923: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise experienced a vulnerability (CVE-2021-32923) that affected versions 0.10.0 through 1.7.1. The vulnerability was discovered and disclosed on May 20, 2021, allowing the renewal of nearly-expired token leases and dynamic secret leases within 1 second of their maximum TTL, which caused them to be incorrectly treated as non-expiring during subsequent use (HashiCorp Discussion).

The vulnerability stemmed from a renewal logic flaw where token leases or dynamic secret leases renewed inside the last second of their maximum TTL would have their TTL set to the remaining seconds of maximum TTL (0 seconds, rounded down). This incorrect TTL setting caused these tokens and secrets to be treated as non-expiring during subsequent use. The exposure window was narrow and primarily affected automation-driven renewals operating under tight time tolerances (HashiCorp Discussion).

The vulnerability resulted in tokens and dynamic secrets living past their intended lifetime without being properly revoked. While Vault-issued tokens with non-expiring leases did not present direct security risks as Vault would not accept them as valid, Vault-issued dynamic secrets with non-expiring leases posed security risks since they were not revoked from the associated secrets engine and could be accepted as valid by the underlying service (HashiCorp Discussion).

The vulnerability was fixed in Vault versions 1.5.9, 1.6.5, and 1.7.2. After upgrading, Vault automatically expires any existing token leases and dynamic secret leases that are non-expiring due to this renewal logic flaw. The fix includes rejecting renewal requests received for leases with less than 1 second remaining of their maximum TTL. Cleanup activities are logged in the Vault server log for further investigation (HashiCorp Discussion).