HCSEC-2021-17 - Consul’s Envoy TLS Configuration Did Not Validate Destination Service Subject Alternative Names

Bulletin ID: HCSEC-2021-17
Affected Products / Versions: Consul and Consul Enterprise 1.3.0 through 1.10.0; fixed in 1.8.14, 1.9.8, and 1.10.1.
Publication Date: July 15, 2021

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that the Envoy proxy configuration for Consul Connect does not mutually verify the destination service identity. This vulnerability, CVE-2021-32574, affects Consul versions 1.3.0 up to 1.10.0, and is fixed in the 1.8.14, 1.9.8, and 1.10.1 releases.

Background
Consul Connect provides encrypted, identity-based service networking (overview) facilitated with mutual TLS and Envoy proxy integration. Service communication is enforced using Consul intentions to allow or deny network traffic between services.

Details
During internal testing, it was observed that Consul’s Envoy proxy configuration did not mutually verify the destination SPIFFE encoded service identity X.509 SAN. It would only verify the service identity was created with a valid CA, allowing one service to potentially masquerade as another.

Consul’s Envoy proxy configuration has been modified to correctly verify destination service identity via the encoded SAN.

Remediation
Customers using Consul Connect should evaluate the risk associated with this issue and consider upgrading to Consul 1.10.1 / 1.9.8 / 1.8.14, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by a solutions engineer in HashiCorp’s Consul specialist team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.