Bulletin ID: HCSEC-2022-20
Affected Products / Versions: Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1; fixed in 1.11.9, 1.12.5, and 1.13.2.
Publication Date: September 21, 2022
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that a specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This vulnerability, CVE-2022-40716, was fixed in Consul 1.11.9, 1.12.5, and 1.13.2.
Consul server and client agents communicate over an internal RPC endpoint that must be protected with mTLS using the tls.internal_rpc.verify_incoming and tls.internal_rpc.verify_server_hostname agent configuration options.
During internal testing, we observed it was possible to bypass intended ACL token restrictions when communicating directly with Consul’s internal RPC endpoint. It could enable a privileged attacker to bypass Consul service mesh intentions by providing a specially crafted certificate signing request (CSR). The RPC endpoint has been updated to only allow a single SAN URI value in the CSR.
To exploit the CSR vulnerability, an attacker requires access to a client agent’s mTLS certificate, and a valid ACL token for any service within the mesh. Consul administrators should prevent access to client agent configuration secrets including mTLS certificates, gossip keys, and ACL tokens. For more information, see the tutorial.
Customers should evaluate the risk associated with this issue and consider upgrading to Consul 1.11.9, 1.12.5, and 1.13.2, or newer.
This issue was identified by HashiCorp’s solutions engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.