HCSEC-2021-22 - Consul Raft RPC Privilege Escalation

Bulletin ID: HCSEC-2021-22
Affected Products / Versions: Consul and Consul Enterprise through 1.10.1; fixed in 1.8.15, 1.9.9 and 1.10.2.
Publication Date: September 1, 2021

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that anyone with a certificate signed by the CA can escalate privileges by directly communicating with the Consul server’s Raft RPC layer. This vulnerability, CVE-2021-37219, was fixed in Consul and Consul Enterprise 1.8.15, 1.9.9, and 1.10.2

Background
Consul uses mTLS for agent communication between Consul client and server agents. This provides an encrypted and authenticated RPC channel. A subset of the available server RPC functionality is meant to be exposed to client agents, with the others intended for server agent usage only.

Details
During internal testing, it was observed that using a non-server certificate from the configured Consul CA enables access to server-only Raft RPC functionality.

Consul’s RPC authentication logic has been modified to correctly enforce server-only access for the Raft RPC layer.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.8.15, 1.9.9 and 1.10.2, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by the HashiCorp engineering & product security teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.