Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Consul CVE-2019-8336: Potential Privilege Escalation in ACL Replication #5423
An internal investigation led to the discovery of an issue with the Consul 1.4 ACL system that, given a very specific set of conditions and events, can allow an unauthorized client to gain the privileges of one other arbitrary ACL token within secondary datacenters. This affects Consul versions 1.4.0, 1.4.1 and 1.4.2.
You should take action if you utilize Consul 1.4.0+ with ACL token replication (multi-datacenter). Given this was introduced in version 1.4.0, we do recommend upgrading to the minor 1.4.3 release regardless of usage of the ACL replication features.
Remediation steps with an upgrade to Consul 1.4.3:
Remediation steps without an upgrade - disabling token replication:
Unless using local tokens the simplest way to remediate the problem without an upgrade is to disable token replication. If relying on local tokens this cannot be done as token replication is a prerequisite for local tokens.
Privilege for a specific token can be achieved with the following conditions:
When those conditions are met, the ACL token replication process in a secondary datacenter can end up injecting a token with a secret of
Note that the token will have the secret ID of the literal string
It is possible to detect if a secondary datacenter is affected using the following Consul CLI command:
This assumes that you are running the
Consul already prevents multiple tokens from having the same secret so this can only grant access to a single token, though it is not deterministic which token that will be. In the worst case it could be a privileged token capable of unrestricted access in the secondary datacenter.
Changes to token replication and the ACL system were made in 1.4.0. This vulnerability affects versions 1.4.0, 1.4.1, and 1.4.2. Version 1.4.3 fixes this and provides a mitigation for users coming from affected versions. If a token exists with the