#VU77106 Improper access control in Consul Enterprise - CVE-2023-2816

Cybersecurity Help s.r.o.

Published: 2023-06-08

Vulnerability identifier: #VU77106

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-2816

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Consul Enterprise
Server applications / Other server solutions

Vendor: HashiCorp

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Lua extension. A remote user with service:write ACL permissions for an upstream service can modify Envoy proxy config for downstream services without equivalent permissions for those services.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Consul Enterprise: 1.15.0 - 1.15.2

External links
https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525
https://github.com/hashicorp/consul/issues/17415
https://github.com/hashicorp/consul/releases/tag/v1.15.3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for HashiCorp Consul

Multiple vulnerabilities in HashiCorp consul