A high-severity vulnerability has been identified in HashiCorp Vault’s Terraform Provider related to an insecure default configuration for LDAP authentication. This flaw could allow an attacker to bypass authentication controls and gain unauthorized access to sensitive secrets managed by Vault, potentially leading to a significant data breach or system compromise.

The Terraform provider for HashiCorp Vault incorrectly sets the deny_null_bind parameter to false by default when configuring the LDAP authentication method. A null bind is an anonymous authentication request. When this parameter is false, Vault's LDAP auth method may accept authentication attempts with empty credentials if the backend LDAP server is also configured to allow anonymous binds, permitting an unauthenticated attacker to successfully log in and access secrets based on the configured policies.

This vulnerability is rated as High severity with a CVSS score of 7.4. Successful exploitation could grant an attacker unauthorized access to the secrets and sensitive data stored within HashiCorp Vault. The consequences include potential data breaches, compromise of critical infrastructure credentials, privilege escalation across integrated systems, and failure to meet regulatory compliance requirements. The risk to the organization is significant, as Vault is often a central component for managing an organization's most sensitive credentials and secrets.

Immediate Action: Organizations should immediately apply the security updates provided by the vendor to correct the insecure default setting. After patching, it is crucial to review existing LDAP authentication method configurations to ensure the deny_null_bind parameter is explicitly set to true.

Proactive Monitoring: Security teams should monitor Vault and LDAP server audit logs for any successful authentication events that correspond to null or anonymous binds. Specifically, look for successful login attempts where no username is provided. Monitor for unusual access patterns or the retrieval of a large number of secrets, which could indicate a compromised account.

Compensating Controls: If patching is not immediately possible, organizations can mitigate the risk by manually editing their Terraform configurations for the Vault LDAP auth method to explicitly set deny_null_bind = true. Additionally, administrators should ensure their backend LDAP server is configured to reject anonymous/null bind requests as a defense-in-depth measure.

Public Exploit Available: False

Given the high CVSS score and the critical role of HashiCorp Vault in managing sensitive credentials, it is strongly recommended that organizations prioritize the remediation of this vulnerability. Although this CVE is not currently listed on the CISA KEV list, the potential for unauthorized access to an organization's most critical secrets warrants immediate action. Organizations should either apply the vendor-supplied patch or implement the recommended compensating controls without delay to prevent potential compromise.