Based on an internal investigation it was discovered that the server hostname verification in agent-to-agent TLS for Consul does not function properly. This vulnerability affects only version 1.4.3 of Consul, both OSS and Enterprise.
This document outlines details about this vulnerability. It is necessary to upgrade Consul to 1.4.4 in order to remediate.
Summary
You should take action if you utilize agent-to-agent TLS with the verify_server_hostname configuration set to true. This is an optional but suggested setting in order to ensure only Consul servers can gain access to specific data.
For full details, continue reading below.
Configuration of verify_server_hostname
Since Consul 0.5.1, Consul has supported a feature that verifies that TLS certificates presented by Consul servers match a specific hostname such as server.datacenter.domain. When TLS certificates are then generated with a matching pattern, this can prevent a Consul agent running in client mode in the cluster masquerading as a server, exposing data the client may not otherwise be authorized to access.
This feature is configured by setting verify_server_hostname to true in Consul configuration. We recommend this as a standard setting for TLS configuration.
An issue in Consul 1.4.3 exists where the configured value is not passed down correctly and always uses the default false when generating the TLS configuration. The result is that the certificates of the servers are no longer checked for the correct server hostname by the client.
As a result, any client can be restarted with the -server flag and there is no protection against it accessing data clients should not have access to. Under normal circumstances, existing servers and clients would prevent the agent from communicating with the cluster.
Detection
The below example shows an affected configuration for Consul version 1.4.3 in JSON. Note that this only shows the TLS portion of Consul configuration.
This example is vulnerable because it sets verify_server_hostname to true. Even though verify_server_hostname is configured, it is not actually checked. This example assumes the configuration file matches the running configuration of the agent.
Remediation
All affected users should upgrade to Consul 1.4.4. Every agent that has verify_server_hostname turned on, both client and server, requires an upgrade for remediation.
The text was updated successfully, but these errors were encountered:
hanshasselberg
changed the title
Something isn't right...
Consul CVE-2019-9764: Server Hostname Verification in agent-to-agent TLS is skipped even when configured
Mar 21, 2019
Based on an internal investigation it was discovered that the server hostname verification in agent-to-agent TLS for Consul does not function properly. This vulnerability affects only version 1.4.3 of Consul, both OSS and Enterprise.
This document outlines details about this vulnerability. It is necessary to upgrade Consul to 1.4.4 in order to remediate.
Summary
You should take action if you utilize agent-to-agent TLS with the
verify_server_hostnameconfiguration set totrue. This is an optional but suggested setting in order to ensure only Consul servers can gain access to specific data.For full details, continue reading below.
Configuration of verify_server_hostname
Since Consul 0.5.1, Consul has supported a feature that verifies that TLS certificates presented by Consul servers match a specific hostname such as
server.datacenter.domain. When TLS certificates are then generated with a matching pattern, this can prevent a Consul agent running in client mode in the cluster masquerading as a server, exposing data the client may not otherwise be authorized to access.This feature is configured by setting
verify_server_hostnametotruein Consul configuration. We recommend this as a standard setting for TLS configuration.An issue in Consul 1.4.3 exists where the configured value is not passed down correctly and always uses the default
falsewhen generating the TLS configuration. The result is that the certificates of the servers are no longer checked for the correct server hostname by the client.As a result, any client can be restarted with the
-serverflag and there is no protection against it accessing data clients should not have access to. Under normal circumstances, existing servers and clients would prevent the agent from communicating with the cluster.Detection
The below example shows an affected configuration for Consul version 1.4.3 in JSON. Note that this only shows the TLS portion of Consul configuration.
Example 1: Affected
This example is vulnerable because it sets
verify_server_hostnametotrue. Even thoughverify_server_hostnameis configured, it is not actually checked. This example assumes the configuration file matches the running configuration of the agent.Remediation
All affected users should upgrade to Consul 1.4.4. Every agent that has
verify_server_hostnameturned on, both client and server, requires an upgrade for remediation.The text was updated successfully, but these errors were encountered: