HCSEC-2021-24 - Consul Missing Authorization Check on Txn.Apply Endpoint

Bulletin ID: HCSEC-2021-24
Affected Products / Versions: Consul and Consul Enterprise through 1.10.1; fixed in 1.8.15, 1.9.9 and 1.10.2.
Publication Date: September 1, 2021

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that anyone with service:write permissions for any service would be allowed to register a proxy for any other service. This vulnerability, CVE-2021-38698, was fixed in Consul and Consul Enterprise 1.8.15, 1.9.9, and 1.10.2

Consul uses mTLS for communication between service proxies which enables encrypted and authenticated network traffic between services. Service proxies registrations are authorized using Consul ACL tokens.

During internal testing, it was observed that using an ACL token with service:write permissions for any service was allowed to register a proxy for another service it was not authorized to. This allowed the proxy to receive traffic for the target service.

Consul’s authorization logic has been modified to correctly enforce ACL token policies.

Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.8.15, 1.9.9 and 1.10.2, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.