HCSEC2020-14 - Consul DNS and HTTP Cache Abuse Denial of Service

Bulletin ID: HCSEC-2020-14
Affected Products / Versions: Consul and Consul Enterprise; fixed in 1.6.6 and 1.7.4.
Publication Date: 10 June, 2020

Summary
Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. This vulnerability, CVE-2020-13250, was fixed in Consul 1.6.6 and 1.7.4.

Background
Consul 1.2.0 introduced an agent cache to ease management of proxy configuration on the agents, allowing caching in the HTTP API. Later, 1.4.3 included the ability to turn on using the agent cache for DNS queries.

Details
It was observed that, while the cache has the ability to expire or evict old entries, it does not have the ability to limit the cache’s size. The caching feature may be abused to perform denial of service against Consul.

Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.6 or 1.7.4, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Customers should consider using the dns_config.use_cache (documentation) and http_config.use_cache (documentation) configuration options to disable agent caching.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.