HCSEC-2020-11 - Consul Legacy ACL Permission Changes Not Propagated to Secondary Datacenters

Bulletin ID: HCSEC-2020-11
Affected Products / Versions: Consul and Consul Enterprise 1.4.0 and newer; fixed in 1.6.6 and 1.7.4.
Publication Date: 10 June, 2020

Consul and Consul Enterprise (“Consul”) failed to enforce changes to legacy ACL token rules due to non-propagation to secondary datacenters. This vulnerability, CVE-2020-12797, was introduced in Consul 1.4.0 and fixed in 1.6.6 and 1.7.4.

Consul supports the replication of ACLs between datacenters. See ACL Replication for Multiple Datacenters for more information.

It was observed that Consul did not enforce changes to legacy ACL tokens rules due to not being propagated to secondary datacenters.

When configured to operate in multiple datacenters, Consul will have one of those datacenters act as the primary, while all the rest act as secondary datacenters. All policies, roles, globally scoped tokens and legacy ACLs (pre–1.4.0) can only be created in the primary datacenter, and then replicated to the secondary datacenters.

When using the legacy APIs to create or update legacy ACLs, an internal conversion process does not compute a necessary field. Due to this, when replicating legacy token updates, changes to a legacy ACL tokens rules were not propagated to a secondary datacenter.

Customers should upgrade to Consul or Consul Enterprise 1.6.6 or 1.7.4, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Alternatively, if upgrading is not possible, potential mitigations include:

  • Disable token replication in secondary DCs. If token replication isn’t enabled all token resolution will be made against the primary DC which will always have the correct information.
  • Delete and recreate the token instead of updating it in the primary. The first time the token is replicated, it happens correctly.

This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.