CVE-2021-41803 HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 don't validate node or segment names before using it in JWT claim assertions with the auto config RPC.

The above findings indicate that HashiCorp Consul versions 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 are vulnerable to a potential XSS attack. In order to exploit this vulnerability an attacker would need to convince an unsuspecting user to visit a malicious website.


After successfully exploiting the GitHub issue detailed above, an attacker could use the node and segment names to construct a JSON Web Token (JWT) and then send the token as an authentication request to an affected Consul instance. Once a vulnerable Consul instance receives the request, it would validate the provided token and attempt to access the provided data. Unfortunately, if the validated token contained the node or segment name from the attacker’s source, the vulnerable Consul instance would access the malicious data.

HashiCorp Consul API and Daemon Configuration

HashiCorp recommends that users update their Consul programs to not allow authentication requests from the same source IP address. This is accomplished by changing the default “authorized-ips” setting in consul.json to a range of IP addresses (e.g., : 127.0.0.1/8, ::1/128).

HashiCorp Consul Authentication Bypass Common Vulnerability Scenarios

This vulnerability is most likely to be exploited by attackers who have access to a web server that provides services to Consul instances. In this example, an attacker would be able to access the data of their own node or segment. If a user visits a malicious website, an attacker could also leverage the GitHub issue detailed above to authenticate against a vulnerable Consul instance.

Limitations and Recommendations

- The vulnerability is triggered by a user visiting a malicious website, not by any type of network or system-wide vulnerability.
- This vulnerability can only be exploited if the authenticated user’s browser cookie is accessible to an attacker.
- An attacker would need to have control of the server where the Consul instance is running in order to exploit this vulnerability.
- HashiCorp has been contacted and confirmed this vulnerability on December 27, 2018.

Timeline

Published on: 09/23/2022 01:15:00 UTC
Last modified on: 09/24/2022 02:02:00 UTC

References

• https://www.hashicorp.com/blog/category/consul
• https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41803