CVE-2021-36213

Vulnerability

HashiCorp Consul and Consul Enterprise versions 1.9.0 through 1.10.0 are affected by a vulnerability where a default deny policy combined with a single L7 application-aware intention that also has a deny action causes the intention to incorrectly fail open, allowing L4 traffic that should be denied. This issue was identified internally and affects Consul's service mesh intentions logic. [1][3]

Exploitation

An attacker with network access to a Consul service mesh configured with a default deny policy and a single L7 deny intention can exploit this vulnerability by sending L4 traffic to services that are intended to be denied. The attacker does not require authentication, as the configuration effectively nullifies the intended access control. [3]

Impact

Successful exploitation allows an attacker to bypass the intended deny policy, permitting L4 traffic to services that should be blocked. This can lead to unauthorized access to services within the mesh, potentially exposing sensitive data or services. [3]

Mitigation

The vulnerability is fixed in Consul versions 1.9.8 and 1.10.1. Users running affected versions should upgrade immediately. If upgrade is not possible, remove any redundant L7 deny intentions that duplicate the default deny policy as a workaround. [3][4]