Support for HashiCorp Vault with Database CSV Enumeration

Introduction

The Database CSV enumeration feature used for uploading multiple database credentials currently only supports the CyberArk Privileged Access Security (PAS) solution for retrieving credentials.

Change

The Database CSV enumeration feature is being expanded to include support for HashiCorp Vault. In order to use this integration, at least one Database Credential with the HashiCorp Vault credential must be configured in the same scan policy as the Database Credential with the imported CSV file to be able to retrieve the credentials.

The database credentials are retrieved from the configured HashiCorp Vault host when the CSV specifies ‘HashiCorp’ in the ‘cred_manager’ field and a Secret Name is in the ‘secret_name’ field–the seventh and eighth fields respectively.

Oracle Database example:

  Format: target, port, service_type, service_id, username, auth_type, cred_manager, secret_name

  Values: 10.10.10.2, 1521, SID, ORCL, SYS, SYSDBA, HashiCorp, oracledb

Impact

If users choose to use this addition and the CSV file is correctly configured, users should see less credential attempts to database listeners and more accurate detections of the specified database, potentially resulting in additional vulnerability reports.

Additional Resources

• Welcome to Tenable for HashiCorp Vault
• HashiCorp Vault - Secrets Engines

Target Release Date

25 May 2021

 Released in Nessus plugin feed 202105251937

---------------------------------------------------------------------------------------------------

Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.