Login Sign Up

CVE-2021-28156

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to bypass audit logging in HashiCorp Consul Enterprise by sending specifically crafted HTTP events. This affects Consul Enterprise versions 1.8.0 through 1.9.4, potentially allowing malicious activity to go undetected in audit logs.

💻 Affected Systems

Products:
  • HashiCorp Consul Enterprise
Versions: 1.8.0 through 1.9.4
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Consul Enterprise edition; open source Consul is not affected. Requires audit logging to be enabled for impact.

📦 What is this software?

Consul by Hashicorp

View all CVEs affecting Consul →

Consul by Hashicorp

View all CVEs affecting Consul →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute unauthorized actions without leaving audit trails, enabling persistent undetected access, data exfiltration, or configuration changes.

🟠

Likely Case

Audit log gaps that hinder security investigations and compliance reporting, potentially masking reconnaissance or low-impact attacks.

🟢

If Mitigated

Limited to audit visibility issues without direct system compromise if other security controls (network segmentation, authentication) are effective.

🌐 Internet-Facing: MEDIUM - While the vulnerability doesn't directly enable remote code execution, internet-facing Consul instances could have attack activity go undetected.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could evade audit detection, complicating incident response.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires crafting specific HTTP events to bypass audit logging. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5 or 1.8.10

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369

Restart Required: Yes

Instructions:

1. Backup Consul configuration and data. 2. Upgrade to Consul Enterprise 1.9.5 or 1.8.10. 3. Restart Consul services. 4. Verify audit logs are functioning correctly.

🔧 Temporary Workarounds

Enhanced Log Monitoring

all

Implement additional log collection from network devices or host systems to supplement potentially missing audit logs.

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to Consul API endpoints
  • Enable comprehensive monitoring of all HTTP traffic to/from Consul servers

🔍 How to Verify

Check if Vulnerable:

Check Consul version with 'consul version' command. If running Enterprise edition between 1.8.0 and 1.9.4 inclusive, you are vulnerable.

Check Version:

consul version

Verify Fix Applied:

After patching, verify version is 1.9.5+ or 1.8.10+. Test audit logging with various HTTP requests to ensure all events are captured.

📡 Detection & Monitoring

Log Indicators:

  • Gaps in audit logs for HTTP events
  • Missing expected audit entries for API calls

Network Indicators:

  • Unusual HTTP patterns to Consul API endpoints
  • Requests with crafted headers or parameters

SIEM Query:

source="consul" AND NOT event_type="http" WHERE expected_audit_event=true

📊 Metadata

CVE ID: CVE-2021-28156
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: April 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON