HCSEC-2020-02 - Consul’s HTTP/RPC Services Allow Unbounded Resource Usage, Susceptible to Unauthenticated Denial of Service

Bulletin ID: HCSEC-2020-02
Affected Products / Versions: Previous versions of Consul and Consul Enterprise; fixed in 1.6.3.
Publication Date: 29 January, 2020

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server. This vulnerability, CVE-2020-7219, affects all previous releases of Consul and is fixed in the 1.6.3 release.

Background
Consul utilizes HTTP for networked communication between Consul cluster members and control/administration of Consul servers.

Consul also implements Remote Procedure Call (RPC), a request / response mechanism allowing Consul agents to make a request of a server, which traverses the network between Consul nodes using TCP.

Consul’s HTTP and RPC both support using end-to-end TLS with optional client authentication.

Details
An internal security review identified a vulnerability such that it was possible to consume excessive Consul server resources via HTTP and RPC services.

A Consul server was exposed to denial of service attack by any party with network-level connectivity to that server. Authentication via mutual TLS is not required in order to launch an attack.

This relates to the denial of service property documented in the Consul security model. While successful exploitation of this vulnerability would not affect confidentiality or data integrity within a Consul deployment, availability would be affected.

Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Several new configuration options are introduced (rpc_max_conns_per_client, rpc_handshake_timeout, http_max_conns_per_client, https_handshake_timeout) with default values which restrict resource usage and reduce exposure to attack.

If upgrade is not possible, customers may consider other mitigation options:

  • Restrict connectivity to Consul servers to trusted sources/networks only. TCP ports used by Consul for HTTP, HTTPS, and RPC default to 8500, 8501, and 8300.

  • Restrict resource usage on Consul servers by enforcing network connection limits. For example, iptables -A INPUT -p tcp --syn --dport 8300 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset.

Enabling TLS for RPC between agents as a defense-in-depth mechanism for Consul clusters, per documentation, remains strongly recommended.

Acknowledgement
This issue was identified by the HashiCorp security team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.