#VU80034 Unchecked Return Value in Consul and Consul Enterprise - CVE-2022-40716


Vulnerability identifier: #VU80034

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-40716

CWE-ID: CWE-252

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Consul
Server applications / Other server solutions
Consul Enterprise
Server applications / Other server solutions

Vendor: HashiCorp

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error when handling CSR requests at the RPC endpoint. A remote user with access to a client agent’s mTLS certificate and a valid ACL token for any service within the mesh can send a specially crafted certificate signing request (CSR) to the Consul’s internal RPC endpoint and bypass intended ACL token restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Consul: 1.11.0 - 1.13.1

Consul Enterprise: 1.11.0 - 1.13.1

External links
https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps
Fedora 38 update for moby-engine
Fedora 37 update for moby-engine
Fedora 39 update for moby-engine
Fedora 36 update for golang-github-hashicorp-consul-api
Fedora 37 update for golang-github-hashicorp-consul-api
Fedora 37 update for golang-github-hashicorp-consul-sdk
Fedora 36 update for golang-github-hashicorp-consul-sdk
Security restrictions bypass in HashiCorp Consul