HCSEC-2024-23 - Consul L7 Intentions Vulnerable To Headers Bypass

Bulletin ID: HCSEC-2024-23
Affected Products / Versions:
Consul Community Edition from 1.9.0 up to 1.20.0, fixed in 1.20.1.

Consul Enterprise from 1.9.0 up to 1.20.0, 1.19.2, 1.18.4, 1.15.14, fixed in 1.20.1, 1.19.3, 1.18.5, and 1.15.15.

Publication Date: October 30, 2024

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. This vulnerability, identified as CVE-2024-10006, is fixed in Consul Community Edition 1.20.1 and Consul Enterprise 1.20.1, 1.19.3, 1.18.5, and 1.15.15.

Background
Intentions control traffic communication between services at the network layer, also called L4 traffic, or the application layer, also called L7 traffic. For destination services using an HTTP-based protocol, the L7 traffic intentions can enforce access based on application-aware request attributes to control traffic between services based on service intention configuration.

Headers are part of HTTP permissions configurable in the L7 intentions to control traffic based on matching one or more provided values.

Details
Consul allows administrators to implement application-aware controls so-called L7 intentions to configure, deny and allow list based rules. Due to a lack of header normalization, a vulnerability was identified where multiple headers and/or case-sensitivity could be exploited to bypass permissions defined in the intentions.

Remediation
Customers using application aware (L7) intentions should evaluate the risk associated with this issue and consider upgrading to Consul 1.20.1, 1.19.3, 1.18.5, 1.15.15, or newer and updating L7 HTTP Headers intentions to ensure match rules are resilient to circumvention.

See Consul’s Service Intentions configuration reference and Upgrading documentation for general guidance on this process.

Acknowledgement
This issue was identified by HashiCorp‘s external security assessment partner and Consul engineering teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.