Consul Cluster Peering can Result in Denial of Service

Vulnerability

Overview

CVE-2023-1297 is a denial-of-service vulnerability in HashiCorp Consul's cluster peering feature. The flaw occurs when a peer cluster has a service with the same name as a local service; under these conditions, deleting the service on the peer cluster can corrupt Consul's internal state, leading to a denial of service [1][3]. The issue is rooted in how Consul handles imported service registrations that conflict with locally defined service names.

Exploitation

Scenario

The vulnerability can be triggered by an attacker who controls a peer cluster in a Consul cluster peering relationship. By registering a service with the same name as a local service on the target cluster and then deleting it, the attacker can corrupt the target's state [3]. No authentication or special privileges beyond establishing a peering connection are required, though the feature is typically used in trusted environments. The attack does not require network access to the target's internal services, only the ability to peer with the cluster.

Impact

Successful exploitation results in denial of service: the corrupted state prevents Consul from operating correctly, potentially disrupting service discovery, health checks, and other critical functions [1][3]. The vulnerability does not allow data exfiltration or privilege escalation; its primary impact is on availability.

Mitigation

HashiCorp has fixed the issue in Consul versions 1.14.7 and 1.15.3 [3]. All earlier versions that support cluster peering (1.13.x through 1.14.0, and 1.15.0) are affected. Cluster peering was beta in 1.13.x and not patched there, so users on 1.13.x should upgrade to a supported fixed branch. No workarounds are documented; upgrading is the recommended remediation [1][3].