CVE-2021-32574

Vulnerability

HashiCorp Consul and Consul Enterprise versions 1.3.0 through 1.10.0 contain a vulnerability in the Envoy proxy TLS configuration for Consul Connect. The configuration does not validate the destination service identity encoded in the X.509 Subject Alternative Name (SAN) of the SPIFFE certificate. This affects all deployments using Consul Connect with Envoy proxies, where service-to-service communication relies on mutual TLS and intentions. The issue is fixed in versions 1.8.14, 1.9.8, and 1.10.1 [1], [2], [3].

Exploitation

An attacker with network access to a Consul Connect service mesh can potentially impersonate a legitimate destination service. The attacker must control a service that has a valid certificate issued by the Consul CA. Because the Envoy proxy only verifies that the certificate is signed by a trusted CA and does not check the destination identity in the SAN, a malicious service can present its own valid certificate and be incorrectly trusted as the intended upstream service. No additional authentication or user interaction is required beyond being part of the mesh [3].

Impact

Successful exploitation allows a malicious service to masquerade as another service within the Consul Connect mesh. This can lead to unauthorized access to sensitive data or functions intended for the impersonated service, violating the intended security policy enforced by Consul intentions. The confidentiality and integrity of service-to-service communication can be compromised, potentially enabling lateral movement or data exfiltration [1], [3].

Mitigation

Upgrade Consul or Consul Enterprise to version 1.8.14, 1.9.8, 1.10.1, or later. These versions include the fix that enables mutual verification of destination service identity via the encoded SAN in the Envoy proxy TLS configuration [1], [2], [3]. Gentoo users should upgrade to consul >=1.9.17 [4]. No workaround is available for unpatched versions.