On November 27, 2018, Consul released a vulnerability notice on its official blog. The notice stated that a remote code execution (RCE) vulnerability might be caused by Consul with specific configurations, and outlined a solution to fix this vulnerability.
Consul is an open source tool developed by HashiCorp. This tool is used to discover and configure services in distributed systems and provides an end-to-end solution. Consul provides multiple features, such as service registration and discovery, consensus protocol implementation, health checking, key-value store, and multi-data center support. All this makes Consul simple to configure and independent of other tools, such as ZooKeeper.
Consul is written in Go and supports Linux, Windows, and Mac OS X. Therefore, it is portable. Consul is easy to deploy because its installation package contains only one executable file. Consul works well together with lightweight containers such as Docker.
RCE vulnerability in HashiCorp Consul service APIs
Attackers can send crafted HTTP requests and remotely execute commands without authorization on Consul servers that have specific configurations. For more information about the Consul vulnerability, see Protecting Consul from RCE Risk in Specific Configurations.
- Verify whether your Consul server is exposed to the RCE vulnerability.
- Craft an HTTP PUT request and remotely execute commands on the Consul server.
All versions of Consul in which -enable-script-checks is set to true to enable the script check function
- Disable the script check function on the Consul server.
- If you need to use the script check function of Consul, upgrade Consul to one of the following versions: 0.9.4, 1.0.8, 1.1.1, or 1.2.4. This changes -enable-script-checks to -enable-local-script-checks. These versions of Consul support the -enable-local-script-checks parameter.
- Make sure that you cannot call or access Consul HTTP APIs over the Internet.
- Enable the custom protection policy feature of WAF and configure the protection rule
shown in the following figure. This rule blocks requests that use the HTTP PUT method
/v1/agent/service/registerin their URLs. For more information, see Create a custom protection policy.