HashiCorp Vault Terraform Provider LDAP Authentication Bypass Vulnerability

A vulnerability exists in the HashiCorp Vault Terraform Provider versions 4.2.0 prior to 5.4.0, where the default setting for the deny_null_bind parameter in the LDAP authentication method was incorrectly configured. This misconfiguration could lead to an insecure setup, allowing authentication bypass if the LDAP server permitted anonymous or unauthenticated binds. The issue has been addressed in Vault Terraform Provider version 5.5.0.

Impact

Exploitation of this vulnerability could bypass authentication in Vault's LDAP auth method, allowing unauthorized access.

Remediation

Users should upgrade to Vault Terraform Provider version 5.5.0. For those using Vault Community Edition or Vault Enterprise, consider upgrading to version 1.21.1, 1.20.6, 1.19.12, or 1.16.28, which no longer allow unauthenticated binds to the LDAP server. If an upgrade is not possible, ensure the deny_null_bind parameter is set to true in the LDAP auth method configuration.