HCSEC-2021-16 - Consul’s Application-Aware Intentions Deny Action Fails Open When Combined With Default Deny Policy

Bulletin ID: HCSEC-2021-16
Affected Products / Versions: Consul and Consul Enterprise 1.9.0 through 1.10.0; fixed in 1.9.8 and 1.10.1.
Publication Date: July 15, 2021

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using default_policy = "deny" with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. This vulnerability, CVE-2021-36213, affects Consul versions 1.9.0 up to 1.10.0, and is fixed in the 1.9.8 and 1.10.1 releases.

Background
Consul Connect provides encrypted, identity-based service networking (overview) which can be controlled using L4 service or L7 application-aware intentions. Service communication is then enforced using these intentions to allow or deny network traffic between services. The default intention behavior is defined by the default ACL policy.

Details
During internal testing, it was observed that when using Consul with a default deny policy and a single L7 application-aware intention deny action caused the traffic to fail open, allowing any L4 traffic from the denied service.

This is a specific intentions configuration that most Consul deployments are unlikely to use. Explicitly defining a single L7 application-aware intention using a deny action with a default deny policy already in place would effectively be a redundant configuration, as the traffic will already be denied using the default policy.

Consul’s intentions logic has been modified to correctly enforce access controls for the configuration as described.

Remediation
Customers running Consul 1.9.0 or newer should evaluate the risk associated with this issue and consider upgrading to Consul 1.10.1 / 1.9.8. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

If upgrade is not possible, customers should review their Consul Connect intentions for the redundant deny/deny configuration described above and consider removing the problematic L7 rule.

Acknowledgement
This issue was identified by the Consul engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.