HCSEC-2020-12 - Consul Local ACL Token Can Be Used in Remote Datacenters

Bulletin ID: HCSEC-2020-12
Affected Products / Versions: Consul and Consul Enterprise 1.4.0 and newer; fixed in 1.6.6 and 1.7.4.
Publication Date: 10 June, 2020

Consul and Consul Enterprise (“Consul”) did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. This vulnerability, CVE-2020-13170, was introduced in Consul 1.4.0 and fixed in 1.6.6 and 1.7.4.

The Consul access control list (ACL) mechanism (documentation) supports scoping of tokens such that they can be valid for access only to a subset of Consul datacenters.

When token replication is not enabled in a secondary datacenter, attempts to use a local token created in the primary are successful for operations targeting that secondary datacenter. Thus what was meant to be scoped to a single datacenter is valid in other datacenters.

Customers should upgrade to Consul or Consul Enterprise 1.6.6 or 1.7.4, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.