Bulletin ID: HCSEC-2021-24
Affected Products / Versions: Consul and Consul Enterprise through 1.10.1; fixed in 1.8.15, 1.9.9 and 1.10.2.
Publication Date: September 1, 2021
Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that anyone with service:write permissions for any service would be allowed to register a proxy for any other service. This vulnerability, CVE-2021-38698, was fixed in Consul and Consul Enterprise 1.8.15, 1.9.9, and 1.10.2
Background
Consul uses mTLS for communication between service proxies which enables encrypted and authenticated network traffic between services. Service proxies registrations are authorized using Consul ACL tokens.
Details
During internal testing, it was observed that using an ACL token with service:write permissions for any service was allowed to register a proxy for another service it was not authorized to. This allowed the proxy to receive traffic for the target service.
Consul’s authorization logic has been modified to correctly enforce ACL token policies.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.8.15, 1.9.9 and 1.10.2, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.