Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consul CVE-2019-9764: Server Hostname Verification in agent-to-agent TLS is skipped even when configured #5519

Closed
hanshasselberg opened this issue Mar 20, 2019 · 1 comment

Comments

@hanshasselberg
Copy link
Member

hanshasselberg commented Mar 20, 2019

Based on an internal investigation it was discovered that the server hostname verification in agent-to-agent TLS for Consul does not function properly. This vulnerability affects only version 1.4.3 of Consul, both OSS and Enterprise.

This document outlines details about this vulnerability. It is necessary to upgrade Consul to 1.4.4 in order to remediate.

Summary

You should take action if you utilize agent-to-agent TLS with the verify_server_hostname configuration set to true. This is an optional but suggested setting in order to ensure only Consul servers can gain access to specific data.

For full details, continue reading below.

Configuration of verify_server_hostname

Since Consul 0.5.1, Consul has supported a feature that verifies that TLS certificates presented by Consul servers match a specific hostname such as server.datacenter.domain. When TLS certificates are then generated with a matching pattern, this can prevent a Consul agent running in client mode in the cluster masquerading as a server, exposing data the client may not otherwise be authorized to access.

This feature is configured by setting verify_server_hostname to true in Consul configuration. We recommend this as a standard setting for TLS configuration.

An issue in Consul 1.4.3 exists where the configured value is not passed down correctly and always uses the default false when generating the TLS configuration. The result is that the certificates of the servers are no longer checked for the correct server hostname by the client.

As a result, any client can be restarted with the -server flag and there is no protection against it accessing data clients should not have access to. Under normal circumstances, existing servers and clients would prevent the agent from communicating with the cluster.
Detection
The below example shows an affected configuration for Consul version 1.4.3 in JSON. Note that this only shows the TLS portion of Consul configuration.

Example 1: Affected

{
    "key_file": "consul-key.pem",
    "cert_file": "server.pem",
    "ca_file": "consul-ca.pem",
    "verify_server_hostname": true
}

This example is vulnerable because it sets verify_server_hostname to true. Even though verify_server_hostname is configured, it is not actually checked. This example assumes the configuration file matches the running configuration of the agent.

Remediation

All affected users should upgrade to Consul 1.4.4. Every agent that has verify_server_hostname turned on, both client and server, requires an upgrade for remediation.

@hanshasselberg hanshasselberg changed the title Something isn't right... Consul CVE-2019-9764: Server Hostname Verification in agent-to-agent TLS is skipped even when configured Mar 21, 2019
@hashicorp hashicorp deleted a comment from pierresouchay Mar 21, 2019
@hashicorp hashicorp deleted a comment from tradel Mar 21, 2019
@hanshasselberg
Copy link
Member Author

Fixed in 7e11dd8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant