HCSEC-2020-14 - Consul DNS and HTTP Cache Abuse Denial of Service

Bulletin ID: HCSEC-2020-14
Affected Products / Versions: Consul and Consul Enterprise; fixed in 1.6.6 and 1.7.4.
Publication Date: 10 June, 2020

Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. This vulnerability, CVE-2020-13250, was fixed in Consul 1.6.6 and 1.7.4.

Consul 1.2.0 introduced an agent cache to ease management of proxy configuration on the agents, allowing caching in the HTTP API. Later, 1.4.3 included the ability to turn on using the agent cache for DNS queries.

It was observed that, while the cache has the ability to expire or evict old entries, it does not have the ability to limit the cache’s size. The caching feature may be abused to perform denial of service against Consul.

Customers should upgrade to Consul or Consul Enterprise 1.6.6 or 1.7.4, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Customers should consider using the dns_config.use_cache (documentation) and http_config.use_cache (documentation) configuration options to disable agent caching.

This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.