CVE-2021-41803 Overview
HashiCorp Consul versions 1.8.1 through 1.11.8, 1.12.4, and 1.13.1 contain an input validation vulnerability in the auto config RPC functionality. The vulnerability arises from improper validation of node or segment names prior to their interpolation and usage in JWT claim assertions. This missing authorization check (CWE-862) allows authenticated attackers to potentially manipulate JWT claims, leading to unauthorized access or denial of service conditions.
Critical Impact
Authenticated attackers can exploit improper input validation in Consul's auto config RPC to manipulate JWT claim assertions, potentially causing information disclosure or denial of service in affected Consul clusters.
Affected Products
- HashiCorp Consul 1.8.1 through 1.11.8
- HashiCorp Consul 1.12.4
- HashiCorp Consul 1.13.1
- HashiCorp Consul Enterprise (same version ranges)
Discovery Timeline
- 2022-09-23 - CVE-2021-41803 published to NVD
- 2025-05-27 - Last updated in NVD database
Technical Details for CVE-2021-41803
Vulnerability Analysis
This vulnerability stems from missing authorization controls (CWE-862) within HashiCorp Consul's auto config RPC mechanism. The auto config feature is designed to automate the configuration of Consul agents by allowing them to retrieve configuration data and certificates from Consul servers using JWT-based authentication.
The core issue lies in how Consul processes node and segment names during JWT claim assertion construction. When an agent connects to a Consul server using the auto config RPC, the server interpolates node and segment names into JWT claims without properly validating or sanitizing these inputs first. This allows an attacker with low-level access to craft malicious node or segment names that, when interpolated into JWT claims, can lead to authorization bypass or resource exhaustion.
The attack is network-accessible and requires only low-privileged authentication, making it feasible for attackers with minimal access to a Consul cluster to exploit this vulnerability.
Root Cause
The root cause is a missing input validation check in the auto config RPC handler. When processing incoming requests, Consul fails to sanitize node and segment name parameters before using them in JWT claim construction. This missing validation allows specially crafted input values to be directly interpolated into security-sensitive JWT assertions, bypassing intended authorization controls.
Attack Vector
The vulnerability is exploitable over the network by authenticated users with low privileges. An attacker can target the auto config RPC endpoint with crafted node or segment names designed to manipulate JWT claim assertions. The attack does not require user interaction and operates within an unchanged scope, meaning the vulnerable component and impacted component are the same.
The exploitation flow involves:
- An attacker with basic Consul cluster access crafts a malicious auto config RPC request
- The request contains specially formatted node or segment names
- Consul's auto config handler interpolates these values into JWT claims without validation
- The manipulated JWT claims can lead to unauthorized access to configuration data or trigger denial of service conditions
Due to the nature of this vulnerability, detailed exploitation code is not provided. For technical specifics, refer to the HashiCorp Advisory HCSEC-2022-19.
Detection Methods for CVE-2021-41803
Indicators of Compromise
- Unusual auto config RPC requests with abnormally long or malformed node names
- JWT authentication errors or anomalies in Consul server logs
- Unexpected denial of service conditions in Consul clusters
- Repeated failed authentication attempts followed by successful access with different claims
Detection Strategies
- Monitor Consul server logs for auto config RPC requests with suspicious node or segment name patterns
- Implement anomaly detection for JWT claim validation failures
- Alert on unexpected resource consumption spikes in Consul server processes
- Review Consul audit logs for unauthorized configuration retrievals
Monitoring Recommendations
- Enable verbose logging on Consul servers to capture auto config RPC request details
- Deploy network monitoring to detect unusual traffic patterns to Consul RPC ports
- Implement rate limiting and request validation at the network perimeter
- Use SentinelOne's runtime protection to detect anomalous process behavior in Consul deployments
How to Mitigate CVE-2021-41803
Immediate Actions Required
- Upgrade HashiCorp Consul to patched versions: 1.11.9, 1.12.5, or 1.13.2
- Review Consul cluster access controls and remove unnecessary low-privileged accounts
- Audit auto config usage and consider disabling if not required
- Implement network segmentation to limit access to Consul RPC endpoints
Patch Information
HashiCorp has released security updates that address this vulnerability by adding proper input validation for node and segment names in the auto config RPC handler. The following versions contain the fix:
- Consul 1.11.9 (for the 1.11.x branch)
- Consul 1.12.5 (for the 1.12.x branch)
- Consul 1.13.2 (for the 1.13.x branch)
Refer to the HashiCorp Advisory HCSEC-2022-19 for complete patch details. Fedora users should also check for updated packages via the Fedora Package Announcements.
Workarounds
- Disable the auto config feature if it is not required for your deployment
- Restrict network access to Consul RPC endpoints using firewall rules
- Implement additional authentication layers before the Consul RPC interface
- Monitor and limit the rate of auto config RPC requests
# Example: Disable auto config in Consul server configuration
# Add to consul server configuration file (consul.hcl)
auto_config {
enabled = false
}
# Restart Consul server to apply changes
systemctl restart consul
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
