Researchers uncover RCE attack chains in popular enterprise credential vaults
Researchers have found 14 logic flaws in various components of HashiCorp Vault and CyberArk Conjur, two open-source credential management systems, allowing attacks that could bypass authentication checks, access secrets, impersonate identities and execute arbitrary code.
In enterprise environments, non-human identities, such as those used by applications and machines, are estimated to outnumber human identities 150 to 1. This makes credential management systems, which often hold what can be considered the “keys to the kingdom,” a critical component of IT infrastructure.
Recognizing this, researchers from cybersecurity firm Cyata analyzed two widely used open-source secrets management solutions: HashiCorp Vault and CyberArk Conjur. Their findings, which include 14 vulnerabilities that enable remote code execution (RCE) attack chains in both products, were presented today at the Black Hat USA security conference in Las Vegas.
“Secrets vaults are the backbone of digital infrastructure,” the researchers wrote in their report. “They store the credentials, tokens, and certificates that govern access to systems, services, APIs, and data. They’re not just part of the trust model — they are the trust model. In other words, if your vault is compromised, your infrastructure is already lost.”
