HashiCorp Vault and Vault Enterprise LDAP Auth Method MFA Enforcement Bypass Vulnerability

A vulnerability exists in the LDAP authentication method of HashiCorp Vault and Vault Enterprise. This issue may lead to a bypass of multi-factor authentication (MFA) enforcement. The vulnerability arises when the 'username_as_alias' parameter is enabled, and a user has multiple common names (CNs) that are identical but contain leading or trailing spaces. In such cases, the LDAP auth method may incorrectly handle MFA enforcement, allowing users to authenticate without the required additional verification. This vulnerability affects Vault Community Edition versions 1.10.0 prior to 1.20.1 and Vault Enterprise versions 1.10.0 prior to 1.20.1, 1.19.7, 1.18.12, 1.16.23, and 1.15.16.

Impact

Exploitation of this vulnerability allows for bypassing MFA enforcement in the LDAP authentication method, potentially leading to unauthorized access in environments where MFA is a critical security control.

Remediation

Users are advised to upgrade to Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, or 1.16.24.