CVE-2023-2816
📋 TL;DR
This vulnerability allows users with service:write permissions in Consul to modify Envoy proxy configurations for downstream services they don't own. Attackers could redirect, intercept, or manipulate traffic between services. Affects Consul and Consul Enterprise deployments using Envoy extensions.
💻 Affected Systems
- Consul
- Consul Enterprise
📦 What is this software?
Consul by Hashicorp
Consul by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
An attacker with service:write permissions could redirect all traffic between services to malicious endpoints, intercept sensitive data, or cause complete service disruption across the entire service mesh.
Likely Case
Privilege escalation where users with limited permissions gain unauthorized control over other services' proxy configurations, potentially leading to data leakage or service manipulation.
If Mitigated
With proper network segmentation and minimal permissions, impact is limited to specific services within the same trust boundary.
🎯 Exploit Status
Exploitation requires authenticated access to Consul with service:write permissions. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consul 1.15.4, 1.14.8, and 1.13.12
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525
Restart Required: Yes
Instructions:
1. Backup Consul configuration and data. 2. Upgrade to patched version (1.15.4, 1.14.8, or 1.13.12). 3. Restart Consul servers and clients. 4. Verify all services are functioning correctly.
🔧 Temporary Workarounds
Restrict service:write permissions
allLimit service:write permissions to only essential users and services. Implement least privilege access controls.
# Review and update Consul ACL policies to restrict service:write permissions
# consul acl policy create -name restricted-service-write -rules 'service "" { policy = "write" }' # Only for specific services
Disable Envoy extensions if not needed
allIf Envoy extensions are not required for your deployment, disable them to eliminate the attack vector.
# Remove or comment out Envoy extension configurations in service-defaults
# consul config write - <<EOF
# service-defaults without envoy_extension
EOF
🧯 If You Can't Patch
- Implement strict network segmentation between services to limit lateral movement potential
- Enable detailed audit logging for all service:write operations and monitor for unauthorized proxy modifications
🔍 How to Verify
Check if Vulnerable:
Check Consul version with 'consul version'. If version is below 1.15.4, 1.14.8, or 1.13.12, and Envoy extensions are configured, the system is vulnerable.Check Version:
consul versionVerify Fix Applied:
After upgrade, verify version is 1.15.4, 1.14.8, or 1.13.12 or higher. Test that users with service:write permissions cannot modify proxy configurations for services they don't own.📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to service-defaults configurations
- Unexpected Envoy proxy configuration changes
- service:write operations targeting services outside user's scope
Network Indicators:
- Unexpected traffic redirection between services
- Unusual proxy configuration updates
SIEM Query:
source="consul" AND ("service-defaults" OR "envoy_extension") AND action="write"