Hello, welcome to the Friday, October 9th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

When you're using APIs and cloud services, you often deal with a large number of API keys that of course have to be maintained,

have to be rotated, and have to be kept secret.

To simplify some of this, we have essentially the equivalent of a password manager for API keys

and that's I guess how you can describe HashiCorp's

wall. So what this product essentially does is that it maps your users to particular

users and roles that you define in various cloud products like for for example, AWS or Google Cloud.

Well, Google's project, Zero, took a closer look at Hashikorp Walt and found two interesting

vulnerabilities. One is actually related to how Go the language that the Hachorp's Walt is written in deals with XML.

Most XML parsers, if you feed them documents that are part XML, part something else,

well, they will just refuse to parse the document.

Now in Go's XML decoder, anything that's not XML in the beginning

will be ignored. So one trick these researchers played was to actually trigger a response.

It was actually JSON encoded, but included the XML response that they tried to get the

Hachicorp wall to accept, and that's sort of how they bypassed some of the authentication

in Hachicorp's wall.

Now, this essentially then worked against EWS and the attacker would have been able to essentially

authenticate to AWS using this vulnerability in Hachercorp.

The second vulnerability, also authentication bypass vulnerability, but against Google's cloud, is different in that it does abuse

vulnerability how JSON Web tokens are implemented by Hashy Corp Walt. All of these

vulnerabilities have been addressed by Hashy Corp so it should no longer really

...