HCSEC-2023-16 - Consul Envoy Extension Downstream Proxy Configuration By Upstream Service Owner

Bulletin ID: HCSEC-2023-16
Affected Products / Versions: Consul and Consul Enterprise 1.15.0 through 1.15.2; fixed in 1.15.3.

Publication Date: June 2, 2023

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. This vulnerability, CVE-2023-2816, was resolved in Consul 1.15.3.

Background
Consul supports built-in Envoy extensions to modify Envoy behavior underlying the service mesh via Consul configuration entries. Envoy extensions can be configured for either specific services via service-defaults config (requiring service:write permission for the target service), or all services via proxy-defaults (requiring the elevated mesh:write permission, applicable to an entire admin partition). This vulnerability focuses on the first case, where an operator is only authorized to modify Envoy resources for specific services.

In Consul 1.15, the existing AWS Serverless plugin was converted to the Lambda Envoy extension, and the new Lua Envoy extension was introduced to enable the addition of custom Lua scripts to HTTP filters. The Lambda extension by design must patch downstream services that call the Lambda function designated in a service-defaults entry, providing them with necessary configuration to communicate with Lambda. By contrast, Lua and other extensions are intended to be used to patch the local proxy for a given configured service, rather than its downstreams. Unlike Lambda, Lua is designed for injecting new behavior, and therefore is not safe to apply to proxies that the configuring user does not have permission to modify.

Details
During internal testing we observed that it was possible to bypass intended restrictions for configuration of remote Envoy proxy instances targeting a configured service. On further investigation, we found that the implementation of the Lambda and Lua extensions shared configuration ingestion logic that caused Lua to behave similarly to Lambda when Listener was configured to outbound, impacting outbound traffic targeting the configured service from remote downstreams, rather than the configured service’s outbound traffic to its own upstreams. This behavior has been fixed to properly apply outbound configuration to listeners in the configured service’s local proxy.

Remediation
Consul administrators should assess risk / exposure as described, and consider upgrading their Consul cluster to version 1.15.3 or newer.

Acknowledgement
This issue was identified by the Consul engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.