HCSEC-2020-10 - Consul Server Crash With Invalid Service-Router Config Entry

Bulletin ID: HCSEC-2020-10
Affected Products / Versions: Consul and Consul Enterprise 1.6.0 - 1.6.5 and 1.7.0 - 1.7.3; fixed in 1.6.6 and 1.7.4.
Publication Date: 10 June, 2020

HashiCorp Consul and Consul Enterprise (“Consul”) could crash when configured with an abnormally-formed service-router entry. This vulnerability, CVE-2020-12758, was introduced in Consul 1.6.0 and fixed in 1.6.6 and 1.7.4.

Consul allows the definition of service-router (documentation) entries within the Consul configuration.

Introduced in Consul v1.6.0, a service-router config entry controls Connect traffic routing and manipulation at networking layer 7 (e.g. HTTP). When an entry is created without a destination, which requires an ACL token with service:write permissions, it is possible to crash Consul servers.

Customers should upgrade to Consul or Consul Enterprise 1.6.6 or 1.7.4, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the HashiCorp engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.