HTTP/RPC Services Allow Unbounded Resource Usage, Susceptible to Unauthenticated Denial of Service

[hanshasselberg]

Vulnerability ID: CVE-2020-7219
Release Date: January 29, 2020
Affected Products/Versions: Previous versions of Consul and Consul Enterprise; fixed in 1.6.3.

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server. This vulnerability affects all previous releases of Consul, and is fixed in the 1.6.3 release.

This document outlines details about this vulnerability and describes steps for remediation, as well as options to consider if an upgrade is not possible.

Background

Consul utilizes HTTP for networked communication between Consul cluster members and control/administration of Consul servers.

Consul also implements Remote Procedure Call (RPC), a request / response mechanism allowing Consul agents to make a request of a server, which traverses the network between Consul nodes using TCP.

Consul’s HTTP and RPC both support using end-to-end TLS with optional client authentication.

Vulnerability Details

An internal security review identified a vulnerability such that it was possible to consume excessive Consul server resources via HTTP and RPC services.

A Consul server was exposed to denial of service attack by any party with network-level connectivity to that server. Authentication via mutual TLS is not required in order to launch an attack.

This relates to the denial of service property documented in the Consul security model. While successful exploitation of this vulnerability would not affect confidentiality or data integrity within a Consul deployment, availability would be affected.

Remediation

Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Several new configuration options are introduced (rpc_max_conns_per_client, rpc_handshake_timeout, http_max_conns_per_client, https_handshake_timeout) with default values which restrict resource usage and reduce exposure to attack.

If upgrade is not possible, customers may consider other mitigation options:

• Restrict connectivity to Consul servers to trusted sources/networks only. TCP ports used by Consul for HTTP, HTTPS, and RPC default to 8500, 8501, and 8300.

• Restrict resource usage on Consul servers by enforcing network connection limits. For example,
  iptables -A INPUT -p tcp --syn --dport 8300 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset.

Enabling TLS for RPC between agents as a defense-in-depth mechanism for Consul clusters, per documentation, remains strongly recommended.