OpenBao Identity System Privilege Escalation Vulnerability

A vulnerability in OpenBao's identity management system allows accounts with high privileges in the root namespace to escalate their access to the root policy. This issue is present in versions prior to 2.3.2. The root policy, which is normally generated manually using unseal or recovery key shares, can be arbitrarily modified by exploiting this vulnerability. Although the global root policy is not accessible from child namespaces, the ability to manipulate policies in the root namespace can effectively grant similar privileges.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the root policy, potentially leading to elevated privileges and access to sensitive operations or data.

Remediation

Users can upgrade to OpenBao version 2.3.2, which addresses this vulnerability. Additionally, policies that access the affected identity endpoints can use 'denied_parameters' to prevent this type of privilege escalation.