VDB

HCSEC-2024-23

HCSEC-2024-23 PUBLISHED

**Bulletin ID:** HCSEC-2024-23 **Affected Products / Versions:** Consul Community Edition from 1.9.0 up to 1.20.0, fixed in 1.20.1. Consul Enterprise from 1.9.0 up to 1.20.0, 1.19.2, 1.18.4, 1.15.14, fixed in 1.20.1, 1.19.3, 1.18.5, and 1.15.15. **Publication Date:** October 30, 2024 **Summary** A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. This vulnerability, identified as CVE-2024-10006, is fixed in Consul Community Edition 1.20.1 and Consul Enterprise 1.20.1, 1.19.3, 1.18.5, and 1.15.15. **Background** [Intentions](https://developer.hashicorp.com/consul/docs/connect/intentions) control traffic communication between services at the network layer, also called L4 traffic, or the application layer, also called L7 traffic. For destination services using an HTTP-based protocol, the [L7 traffic intentions](https://developer.hashicorp.com/consul/docs/connect/intentions#l7-traffic-intentions) can enforce access based on application-aware request attributes to control traffic between services based on [service intention configuration](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-intentions). [Headers](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-intentions#sources-permissions-http-header) are part of [HTTP permissions](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-intentions#sources-permissions-http) configurable in the L7 intentions to control traffic based on matching one or more provided values. **Details** Consul allows administrators to implement application-aware controls so-called L7 intentions to configure, deny and allow list based rules. Due to a lack of header normalization, a vulnerability was identified where multiple headers and/or case-sensitivity could be exploited to bypass permissions defined in the intentions. **Remediation** Customers using application aware (L7) intentions should evaluate the risk associated with this issue and consider upgrading to Consul 1.20.1, 1.19.3, 1.18.5, 1.15.15, or newer and updating L7 HTTP Headers intentions to ensure match rules are resilient to circumvention. See Consul’s [Service Intentions configuration reference](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-intentions#spec-sources-permissions-http-header) and [Upgrading](https://developer.hashicorp.com/consul/docs/upgrading) documentation for general guidance on this process. **Acknowledgement** This issue was identified by HashiCorp‘s external security assessment partner and Consul engineering teams. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Oct 30, 2024 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›