CVE-2021-41805 in Consul Enterprise
Summary
by MITRE • 12/12/2021
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/15/2021
HashiCorp Consul Enterprise versions prior to 1.8.17, 1.9.x prior to 1.9.11, and 1.10.x prior to 1.10.4 contain a critical access control vulnerability that allows for unauthorized privilege escalation across namespace boundaries. This vulnerability stems from improper enforcement of access control lists that should have prevented tokens with operator:write permissions from being used across different namespaces. The flaw enables an attacker who possesses a valid ACL token with default operator:write permissions in one namespace to escalate privileges and execute operations in other namespaces where they should not have access. This represents a fundamental breakdown in the principle of least privilege and namespace isolation that Consul is designed to enforce. The vulnerability is categorized under CWE-284 Access Control, specifically addressing improper access control mechanisms that fail to properly validate user permissions across namespace boundaries. From an operational perspective this issue creates a significant risk for organizations using Consul Enterprise for service discovery and configuration management, as it allows for unauthorized access to sensitive service configurations, network policies, and infrastructure components across different logical namespaces. The impact extends beyond simple data access to potentially enable complete compromise of service mesh functionality and network security controls. Attackers could leverage this vulnerability to modify service registrations, manipulate network policies, and potentially gain access to critical infrastructure components that should be isolated within separate namespaces. This vulnerability directly maps to ATT&CK technique T1078 Valid Accounts, as it allows for privilege escalation using legitimate but improperly constrained access tokens. The flaw represents a failure in the authorization mechanism that should prevent cross-namespace access control violations, making it particularly dangerous in multi-tenant environments where namespace isolation is critical for security. Organizations using Consul Enterprise in production environments should immediately upgrade to the patched versions to prevent potential exploitation. The recommended mitigation involves applying the latest security patches and implementing additional monitoring for unauthorized access attempts across namespace boundaries. Security teams should also review existing ACL configurations to ensure proper namespace isolation and consider implementing additional access control layers beyond the default Consul ACL system. This vulnerability highlights the importance of proper access control implementation in distributed systems and demonstrates how namespace-based isolation can be bypassed through flawed authorization logic. The issue affects all Consul Enterprise deployments that rely on namespace-based access control, making it particularly relevant for organizations implementing service mesh architectures where proper access control boundaries are essential for maintaining security posture.