Bulletin ID: HCSEC-2020-22
Affected Products / Versions: Consul and Consul Enterprise 1.2.0 through 1.8.5; fixed in 1.6.10, 1.7.10, and 1.8.6.
Publication Date: 19 November, 2020
A vulnerability, CVE-2020-28053, was identified in Consul and Consul Enterprise (“Consul”) such that operators with
operator:read ACL permissions were able to read the Consul Connect CA configuration including the private key.
Consul Connect utilizes mutual TLS to establish service identity within the mesh. Access to sensitive parts of the CA configuration, namely the private key, should be only accessed by privileged authenticated users with
operator:write ACL permissions.
operator:read ACL permissions were able to read the Consul Connect CA configuration when explicitly configured with the /v1/connect/ca/configuration endpoint, including the private key. This allowed the user to effectively privilege escalate by enabling the ability to create certificates for any Consul Connect services, which would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.
This issue is identified publicly as CVE-2020-28053.
Customers should upgrade to Consul or Consul Enterprise 1.6.10, 1.7.10, and 1.8.6, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.