CVE-2024-7594: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault's SSH secrets engine contained a critical vulnerability (CVE-2024-7594) that affected both Vault Community Edition versions 1.7.7 to 1.17.5 and Vault Enterprise versions. The vulnerability stems from the SSH secrets engine not requiring the valid_principals list to contain a value by default, potentially allowing unauthorized SSH access. This security flaw was discovered and reported by Jörn Heissler, receiving a CVSS score of 7.5 (HIGH) (HashiCorp Discussion).

The vulnerability exists in Vault's SSH secrets engine configuration where the valid_principals list, which is crucial for restricting SSH certificate authentication, could remain empty by default. When both valid_principals and default_user fields are not set, an SSH certificate requested by an authorized Vault user could be used to authenticate as any user on the target host. The issue has been assigned a CVSS v3.1 base score of 7.5 with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (SecurityOnline).

If exploited, this vulnerability could allow an attacker with valid Vault authentication to generate SSH certificates that grant access to any user on the target system. This could lead to unauthorized system access, potential data breaches, service disruptions, and unauthorized control over critical infrastructure (SecurityOnline).

HashiCorp has addressed this vulnerability in Vault Community Edition 1.17.6 and Vault Enterprise versions 1.17.6, 1.16.10, and 1.15.15. A new configuration option, allow_empty_principals, has been introduced defaulting to false. Users are advised to either upgrade to the patched versions or ensure their SSH secrets engine configurations include non-empty valid_principals lists (HashiCorp Discussion).