HCSEC-2020-22 - Consul Operator Read ACL Enables Connect Service Masquerading

Bulletin ID: HCSEC-2020-22
Affected Products / Versions: Consul and Consul Enterprise 1.2.0 through 1.8.5; fixed in 1.6.10, 1.7.10, and 1.8.6.
Publication Date: 19 November, 2020

Summary
A vulnerability, CVE-2020-28053, was identified in Consul and Consul Enterprise (“Consul”) such that operators with operator:read ACL permissions were able to read the Consul Connect CA configuration including the private key.

Background
Consul Connect utilizes mutual TLS to establish service identity within the mesh. Access to sensitive parts of the CA configuration, namely the private key, should be only accessed by privileged authenticated users with operator:write ACL permissions.

Details
Operators with operator:read ACL permissions were able to read the Consul Connect CA configuration when explicitly configured with the /v1/connect/ca/configuration endpoint, including the private key. This allowed the user to effectively privilege escalate by enabling the ability to create certificates for any Consul Connect services, which would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

This issue is identified publicly as CVE-2020-28053.

Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.10, 1.7.10, and 1.8.6, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by the Consul engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.