CVE-2024-1052 - OpenCVE

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hashicorp	Boundary

Configuration 1 [-]

cpe:2.3:a:hashicorp:boundary:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458

History

No history.

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2024-02-05T20:43:53.939Z

Updated: 2024-08-01T18:26:30.420Z

Reserved: 2024-01-29T20:35:33.313Z

Link: CVE-2024-1052

Vulnrichment

Updated: 2024-08-01T18:26:30.420Z

NVD

Status : Analyzed

Published: 2024-02-05T21:15:11.640

Modified: 2024-02-15T18:49:40.180

Link: CVE-2024-1052

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1052", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2024-01-29T20:35:33.313Z", "datePublished": "2024-02-05T20:43:53.939Z", "dateUpdated": "2024-08-01T18:26:30.420Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-02-05T20:43:53.939Z"}, "title": "Boundary Vulnerable to Session Hijacking Through TLS Certificate Tampering", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "affected": [{"vendor": "HashiCorp", "product": "Boundary", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "repo": "https://github.com/hashicorp/boundary", "versions": [{"status": "affected", "version": "0.8.0", "lessThan": "0.15.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Boundary Enterprise", "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "versions": [{"status": "affected", "version": "0.8.0", "lessThan": "0.15.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application."}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"}}], "source": {"advisory": "HCSEC-2024-02", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "hashicorp", "product": "boundary", "cpes": ["cpe:2.3:a:hashicorp:boundary:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.8.0", "status": "affected", "lessThan": "0.15.0", "versionType": "semver"}]}, {"vendor": "hashicorp", "product": "boundary_enterprise", "cpes": ["cpe:2.3:a:hashicorp:boundary_enterprise:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.8.0", "status": "affected", "lessThan": "0.15.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-28T17:48:37.020420Z", "id": "CVE-2024-1052", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-28T17:52:35.908Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.420Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.420Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1052", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-28T17:48:37.020420Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hashicorp:boundary:*:*:*:*:*:*:*:*"], "vendor": "hashicorp", "product": "boundary", "versions": [{"status": "affected", "version": "0.8.0", "lessThan": "0.15.0", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:hashicorp:boundary_enterprise:*:*:*:*:*:*:*:*"], "vendor": "hashicorp", "product": "boundary_enterprise", "versions": [{"status": "affected", "version": "0.8.0", "lessThan": "0.15.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-28T17:52:08.700Z"}}], "cna": {"title": "Boundary Vulnerable to Session Hijacking Through TLS Certificate Tampering", "source": {"advisory": "HCSEC-2024-02", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/boundary", "vendor": "HashiCorp", "product": "Boundary", "versions": [{"status": "affected", "version": "0.8.0", "lessThan": "0.15.0", "versionType": "semver"}], "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "defaultStatus": "unaffected"}, {"vendor": "HashiCorp", "product": "Boundary Enterprise", "versions": [{"status": "affected", "version": "0.8.0", "lessThan": "0.15.0", "versionType": "semver"}], "platforms": ["Windows", "MacOS", "Linux", "x86", "ARM", "64 bit", "32 bit"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458"}], "descriptions": [{"lang": "en", "value": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.", "supportingMedia": [{"type": "text/html", "value": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-02-05T20:43:53.939Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1052", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:26:30.420Z", "dateReserved": "2024-01-29T20:35:33.313Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2024-02-05T20:43:53.939Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:boundary:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7B4CF85-FD5E-4257-A4A5-3E05689B596D", "versionEndExcluding": "0.15.0", "versionStartIncluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application."}, {"lang": "es", "value": "Boundary and Boundary Enterprise (\u201cBoundary\u201d) es vulnerable al secuestro de sesi\u00f3n mediante la manipulaci\u00f3n del certificado TLS. Un atacante con privilegios para enumerar sesiones activas o pendientes, obtener una clave privada perteneciente a una sesi\u00f3n y obtener un token de confianza en el primer uso (TOFU) v\u00e1lido puede manipular un certificado TLS para secuestrar una sesi\u00f3n activa y obtener acceso al servicio subyacente o solicitud."}], "id": "CVE-2024-1052", "lastModified": "2024-02-15T18:49:40.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2024-02-05T21:15:11.640", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2024-02-boundary-vulnerable-to-session-hijacking-through-tls-certificate-tampering/62458"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "security@hashicorp.com", "type": "Secondary"}]}