HashiCorp recently disclosed a critical security vulnerability (CVE-2023-3518) affecting their Consul and Consul Enterprise products, specifically when using JWT (JSON Web Tokens) authentication for service mesh. The vulnerability allows unauthorized access to potentially sensitive services by either incorrectly granting or denying access regardless of the specified service identities.

Vulnerability Details

The vulnerability primarily exists in the JWT auth implementation for Service Mesh in Consul and Consul Enterprise versions 1.16.; it has been resolved in version 1.16.1. The flaw allows any valid JWT token to access services regardless of the associated service identities specified in the token.

For those unfamiliar with JWT and Consul's Service Mesh framework, a quick rundown

* JWT (JSON Web Tokens) are a compact URL-safe means of representing claims to be transferred between two parties. They are widely used for authorization purposes.
* Consul's Service Mesh aids in securing services through a variety of methods, one of which is authenticating communication via JWT.

When a JWT authenticated request is passed to the Consul service mesh, the Consul proxy is responsible for validating the token (checking signature, expiration, etc.) and authorizing access based on the token’s claims.

Unfortunately, the vulnerability in question allows an attacker to bypass the authorization checks if they manage to get their hands on a valid JWT. This means that an attacker could potentially access sensitive services or view restricted information without the proper permissions.

Code Snippet

Below is an example of how JWT authentication in Consul's service mesh configuration would typically be set up:

consul_acl_jwt_validation_pub_keys = {
   "key-1" = "-----BEGIN PUBLIC KEY-----
   ... (key material here) ...
   -----END PUBLIC KEY-----"
   "key-2" = "-----BEGIN PUBLIC KEY-----
   ... (key material here) ...
   -----END PUBLIC KEY-----"
}

serviceidentity "web" {
   jwt_authorization = {
       claim_assertions = ["value.%{service}.%{namespace}.read == true"
   }
}

serviceidentity "api" {
   jwt_authorization = {
       claim_assertions = ["value.%{service}.%{namespace}.write == true"
   }
}

In the code snippet above, there are two service identities ("web" and "api") along with their respective authorization configurations. Ideally, access should only be granted to the services if the JWT token asserts proper claims. However, the vulnerability may allow any valid JWT token holder to bypass these intended restrictions.

Exploit Details

To exploit this vulnerability, an attacker would first need to obtain a valid JWT, either by compromising a legitimate user's token or another method. Once in possession of a valid JWT, the attacker could bypass the authorization checks meant to restrict access, potentially compromising sensitive services or data.

For more information about this vulnerability, as well as the remediation steps, you can refer to the following sources:

* HashiCorp's security bulletin: https://discuss.hashicorp.com/t/consul-1-16-1-security-release/37061
* CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3518
* Consul's documentation on JWT auth: https://www.consul.io/docs/security/acl/auth-methods/jwt

Solution and Mitigation

Upgrading to Consul and Consul Enterprise 1.16.1 resolves this vulnerability. Users of affected versions are highly encouraged to update their installations as soon as possible.

Though there are no known workarounds or temporary fixes, HashiCorp recommends employing additional security measures such as network segmentation, effective monitoring, and intrusion detection to mitigate the impact in case of an exploitation attempt.

Timeline

Published on: 08/09/2023 16:15:00 UTC
Last modified on: 08/16/2023 17:32:00 UTC