OpenBao Privileged Operator Identity Group Root Escalation Vulnerability

A vulnerability in OpenBao, an open-source identity-based secrets management system, allows a privileged operator to escalate permissions by adding a root policy to a group identity. This issue affects OpenBao versions prior to 2.4.4. The vulnerability arises when an operator in the root namespace can access identity/groups endpoints but lacks policy access. In such cases, the operator can manipulate group policies to grant root-equivalent permissions. The vulnerability has been patched in version 2.4.4.

Impact

Exploitation of this vulnerability could lead to unauthorized permission escalation, allowing users to gain root-equivalent rights within the system.

Reproduction

To reproduce this vulnerability, a privileged operator must be in the root namespace and have access to the identity/groups endpoints without having policy access. The operator can then use the identity group subsystem to add a root policy to a group identity, thereby escalating permissions.

Remediation

Users should update to OpenBao version 2.4.4 or later. Additionally, it is recommended to audit the use of the identity subsystem and restrict access for operators if the subsystem is not actively in use.