OpenBao User Enumeration Vulnerability in Userpass Authentication Method

A user enumeration vulnerability has been identified in OpenBao versions 0.1.0 prior to 2.3.1, specifically within the userpass authentication method. This vulnerability arises from a timing discrepancy that allows for the differentiation between non-existent users and those with stored credentials, regardless of the validity of the supplied credentials. The issue has been addressed in version 2.3.2.

Impact

Exploitation of this vulnerability allows for user enumeration, where an attacker can identify valid usernames within the application.

Reproduction

To reproduce this vulnerability, log in to OpenBao using the userpass authentication method. Attempt to authenticate with a list of usernames, both valid and invalid. Observe the response times; usernames associated with stored credentials will result in faster response times compared to those that do not exist.

Remediation

Users can upgrade to OpenBao version 2.3.2, which addresses this vulnerability. Alternatively, rate limiting quotas can be applied to reduce the number of authentication requests within a given timeframe.