CVE-2024-9180: 
HashiCorp Vault vulnerability analysis and mitigation

CVE-2024-9180 is a privilege escalation vulnerability in HashiCorp Vault that was discovered and disclosed in October 2024. The vulnerability affects Vault Community Edition from version 0.10.4 up to 1.17.6 and Vault Enterprise from version 0.10.4 up to various versions. This security flaw allows a privileged Vault operator with write permissions to the root namespace's identity endpoint to escalate their own or another user's privileges to Vault's root policy (HashiCorp Advisory).

The vulnerability stems from the mishandling of entries in Vault's in-memory entity cache. A malicious actor with write permissions to the root namespace's identity endpoint could manipulate their cached entity record through the identity API endpoint on a Vault node. The manipulated entity record was not propagated across the cluster or persisted to the storage backend and would be cleared on server restarts. The vulnerability has been assigned a CVSSv3 score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (SecurityOnline).

The vulnerability allows attackers to gain complete control over the Vault instance by escalating privileges to Vault's root policy, potentially compromising sensitive data and disrupting critical operations. However, the impact is somewhat limited as the vulnerability only affects entities in the root namespace and does not impact those within standard or administrative namespaces. Additionally, HCP Vault Dedicated is unaffected due to its reliance on administrative namespaces (HashiCorp Advisory).

HashiCorp has released patched versions to address this vulnerability: Vault Community Edition 1.18.0 and Vault Enterprise versions 1.18.0, 1.17.7, 1.16.11, and 1.15.16. Alternative mitigation strategies include implementing Sentinel EGP policies or modifying the default policy to restrict access to the identity endpoint. Organizations can also monitor Vault audit logs for entries containing 'root' within the 'identity_policy' array to detect potential exploitation attempts (HashiCorp Advisory).