Bulletin ID: HCSEC-2024-22
Affected Products / Versions:
Consul Community Edition from 1.9.0 up to 1.20.0, fixed in 1.20.1.
Consul Enterprise from 1.9.0 up to 1.20.0, 1.19.2, 1.18.4, 1.15.14, fixed in 1.20.1, 1.19.3, 1.18.5, and 1.15.15.
Publication Date: October 30, 2024
Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. This vulnerability, identified as CVE-2024-10005, is fixed in Consul Community Edition 1.20.1 and Consul Enterprise 1.20.1, 1.19.3, 1.18.5, and 1.15.15.
Background
Intentions control traffic communication between services at the network layer, also called L4 traffic, or the application layer, also called L7 traffic. For destination services using an HTTP-based protocol, the L7 traffic intentions can enforce access based on application-aware request attributes to control traffic between services based on service intention configuration.
Paths are part of HTTP permissions configurable in the L7 intentions to control traffic based on matching one or more provided values.
Details
Consul allows administrators to implement application-aware controls called L7 intentions to configure deny- and allow-list based rules. Due to a lack of path normalization, a vulnerability was identified where URL-encoded paths and/or multiple slashes could be exploited to bypass permissions defined in the intentions.
Remediation
Customers using application aware (L7) intentions should evaluate the risk associated with this issue and consider upgrading to Consul 1.20.1, 1.19.3, 1.18.5, 1.15.15, or newer and updating request normalization configuration based on their specific requirements.
All versions of Consul released going forward, including the fix versions noted above, will have basic path normalization enabled by default.
See Consul’s Security and Upgrading documentation for general guidance on this process.
Acknowledgement
This issue was identified by HashiCorp‘s external security assessment partner and Consul engineering teams.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.