CVE-2023-2816 in Consulinfo

Summary

by MITRE • 06/03/2023

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/29/2023

This vulnerability exists in HashiCorp Consul and Consul Enterprise versions prior to 1.15.3 and 1.16.2 respectively, representing a significant privilege escalation flaw that undermines the principle of least privilege in access control. The issue stems from improper authorization checks within the service-defaults configuration mechanism, where users with merely service:write permissions can manipulate proxy instances through Envoy extensions without proper authorization to modify the underlying services they target. This creates a dangerous scenario where attackers can indirectly modify critical service configurations through proxy patching operations that bypass normal service modification permissions.

The technical flaw manifests in the authorization validation process for service-defaults resources, specifically when these configurations are used to patch remote proxy instances. When a user with service:write permissions creates or modifies a service-defaults configuration that targets specific services, the system fails to verify whether the user possesses the necessary permissions to modify those targeted services before executing the proxy patching operations. This authorization bypass occurs because the system validates permissions only against the service-defaults resource itself rather than against the target services that the proxy patching operations affect. The vulnerability is particularly concerning because it allows attackers to manipulate proxy configurations that control traffic routing, security policies, and service discovery behaviors without proper authorization.

The operational impact of this vulnerability is substantial as it enables attackers to perform unauthorized modifications to service proxy configurations that can affect service availability, security posture, and network traffic flow. An attacker with service:write permissions could potentially redirect traffic through malicious proxies, modify security policies, or disable service discovery mechanisms for targeted services. This could lead to service disruption, data exfiltration, or lateral movement within the service mesh environment. The vulnerability is especially dangerous in environments where service mesh configurations control critical infrastructure components, as it allows privilege escalation without requiring additional permissions beyond what is already available to the attacker.

The flaw aligns with CWE-284 Access Control Bypass and represents a classic case of insufficient authorization checks in distributed systems. From an ATT&CK perspective, this vulnerability maps to privilege escalation techniques and can be leveraged to maintain persistent access or escalate privileges within the service mesh environment. Organizations using Consul service mesh should immediately implement the available patches to address this issue, as the vulnerability can be exploited by any user with service:write permissions without requiring additional compromised credentials. The recommended mitigation involves applying the latest Consul releases that include proper authorization validation for proxy patching operations and implementing additional monitoring for service-defaults configuration changes to detect potential abuse of this privilege escalation mechanism.

Responsible

HashiCorp Inc.

Reservation

05/19/2023

Disclosure

06/03/2023

Moderation

accepted

CPE

ready

EPSS

0.00585

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!