Google Cloud affected by CVE-2021-30476

CVE-2021-30476 affects HashiCorp's Terraform Vault Provider and involves incorrect configuration of bound labels for GCP (Google Cloud Platform) authentication. This issue permits unauthorized users to potentially bypass authentication mechanisms. The vulnerability stems from the Vault provider not correctly configuring the bound labels within the GCP authentication method, which could lead to improper access control. 

How CVE-2021-30476 is being exploited

The exploitation of CVE-2021-30476 involves attackers leveraging the misconfiguration in the bound labels of the GCP auth method. By crafting specific requests or using certain GCP credentials, attackers could bypass authentication steps and gain unauthorized access. This exploit relies on the misconfiguration rather than a traditional software flaw or bug. 

However, it's important to note that the actual exploitation would depend on the specific misconfiguration and the attacker's knowledge about the GCP environment targeted.

The following example simplifies the actual complexity involved in such an exploit but highlights the underlying issue of the incorrect application of configurations which could then lead to unauthorized access.

resource "vault_gcp_auth_backend" "example" {  backend       = "gcp"  credentials   = "${file("credentials.json")}"  project_id    = "my-gcp-project"  bound_projects = ["my-gcp-project"]}resource "vault_gcp_auth_backend_role" "my_role" {  backend   = vault_gcp_auth_backend.example.backend  role      = "my-role"  type      = "iam"  policies  = ["default", "dev", "prod"]  bound_service_accounts = ["my-service-account@my-gcp-project.iam.gserviceaccount.com"]}

Due to the vulnerability, an attacker might create or use an existing GCP token from a Service Account that should not have access according to the "bound_service_accounts" but is still able to authenticate due to the incorrect enforcement of these bound labels.

gcloud auth activate-service-account --key-file=attacker-controlled-account.jsonexport VAULT_ADDR='http://127.0.0.1:8200'vault write auth/gcp/login role="my-role" jwt="eyJhbGciOiJSUzI1NiIsImtpZCI6I..."

In this example, the attacker uses a jwt obtained from an unauthorized service account. Despite the bound_service_accounts configuration, the misconfiguration allows this JWT to successfully authenticate.

How to fix CVE-2021-30476

Fixing CVE-2021-30476 involves updating the Terraform Vault provider and ensuring that bound labels and other configurations are correctly applied and enforced. HashiCorp has acknowledged this vulnerability and has provided a patch. 

The detailed step-by-step instructions for applying this patch and how to implement other recommendations can be found in their HashiCorp Discuss forums and GitHub repository (see issue #996) issue related to the vulnerability.

How to prevent similar vulnerabilities in the future

Firstly, understanding and following best practices for configuring authentication mechanisms, especially in cloud environments, is critical. Developers and system administrators should engage in routine audits of configurations for potential misconfigurations. Additionally, employing automated tools that can detect misconfigurations or unauthorized access patterns can serve as an early warning system. Lastly, adhering to a strict update and patch management policy ensures that software components remain hardened against known vulnerabilities.

Summary

CVE-2021-30476 is a significant security vulnerability in HashiCorp’s Terraform Vault Provider, specifically related to the GCP authentication method where bound labels were incorrectly configured. This misconfiguration could allow unauthorized users to bypass authentication mechanisms by exploiting the improper application of bound labels. Attackers could craft requests or use certain GCP credentials to gain unauthorized access, with the extent of exploitation depending on their knowledge of the targeted GCP environment. The vulnerability was addressed by HashiCorp with a patch that corrects the configuration of bound labels, ensuring proper access control.