CVE-2021-32574
📋 TL;DR
This vulnerability in HashiCorp Consul's Envoy proxy allows TLS connections to bypass service identity validation. Attackers could potentially intercept or manipulate traffic between services by impersonating legitimate destinations. Affects Consul and Consul Enterprise versions 1.3.0 through 1.10.0.
💻 Affected Systems
- HashiCorp Consul
- HashiCorp Consul Enterprise
📦 What is this software?
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Man-in-the-middle attacks allowing interception, modification, or injection of sensitive service-to-service communications, potentially leading to data theft or service compromise.
Likely Case
Unauthorized access to internal service communications, potential data leakage between microservices, and privilege escalation within the service mesh.
If Mitigated
Limited impact due to network segmentation, additional authentication layers, or restricted access to vulnerable components.
🎯 Exploit Status
Requires access to the Consul network and understanding of service mesh architecture; no public exploits known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.14, 1.9.8, and 1.10.1
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
Restart Required: Yes
Instructions:
1. Identify affected Consul versions. 2. Backup configuration and data. 3. Upgrade to patched version (1.8.14, 1.9.8, or 1.10.1). 4. Restart Consul services. 5. Verify Envoy proxy TLS validation is functioning.
🔧 Temporary Workarounds
Disable Envoy Integration
allTemporarily disable Consul's Envoy proxy integration if not required
consul config write -disable-envoy-proxy.json
Network Segmentation
allImplement strict network segmentation to limit service-to-service communication paths
🧯 If You Can't Patch
- Implement additional TLS certificate validation at application layer
- Deploy network monitoring and intrusion detection for unusual service communication patterns
🔍 How to Verify
Check if Vulnerable:
Check Consul version: consul version. If version is between 1.3.0 and 1.10.0 (excluding 1.8.14, 1.9.8, 1.10.1), system is vulnerable.Check Version:
consul versionVerify Fix Applied:
Verify upgraded version with consul version command and test Envoy TLS connections validate destination SAN properly.📡 Detection & Monitoring
Log Indicators:
- Unexpected TLS handshake failures
- Unusual service connection patterns in Consul logs
- Envoy proxy connection errors
Network Indicators:
- Unusual TLS certificate validation patterns
- Suspicious service-to-service communication
SIEM Query:
source="consul" AND ("TLS handshake" OR "Envoy" OR "certificate validation") AND severity>=WARNING🔗 References
- https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
- https://github.com/hashicorp/consul/releases/tag/v1.10.1
- https://security.gentoo.org/glsa/202208-09
- https://www.hashicorp.com/blog/category/consul
- https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
- https://github.com/hashicorp/consul/releases/tag/v1.10.1
- https://security.gentoo.org/glsa/202208-09
- https://www.hashicorp.com/blog/category/consul
