Bulletin ID: HCSEC-2021-29
Affected Products / Versions: Consul Enterprise 1.7.0 and newer; fixed in 1.8.17, 1.9.11, and 1.10.4.
Publication Date: November 12, 2021
Summary
A vulnerability was identified in Consul Enterprise such that an ACL token with the default operator:write permissions in one namespace may be used to escalate privileges into any other permissions across all namespaces. This vulnerability, CVE-2021-41805, was fixed in Consul Enterprise 1.8.17, 1.9.11, and 1.10.4.
Background
Consul Enterprise uses namespaces and the ACL system for restricting access to resources such as services and nodes. The operator ACL rule (such as operator:read) is used for cluster-level operations found in the operator API, with the one exception being the keyring API.
Details
During internal testing, it was observed that an ACL token configured with default operator:write permissions may be used to escalate privileges into any other permissions across all namespaces.
Consul Enterprise’s authorization logic has been modified to prohibit this.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul Enterprise 1.10.4, 1.9.11, 1.8.17, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.