Introduction
This article is intended for System Administrators to remediate a potential vulnerability in a Consul configuration found with a Tenable Vulnerability scanner.
- Screenshot of the vulnerability from Tenable.
Reference: Tenable page Hashicorp Consul Web UI and API access
The Configuration that Would be Flagged
client_addr = "{{GetInterfaceIP \"ens5\"}}"
ui_config {
enabled = true
}
acl {
enabled = true
default_policy = "deny"
down_policy = "extend-cache"
tokens {
agent = "cf5940bf-72bd-b794-966a-83bc9efd5fc2"
default = "fa345bf-36df-c932-366f-23bc5ed0fe4"
}
}
-
- Although this configuration will work as expected, there are also unintended security implications.
- Consul will listen and respond to client operations (HTTP and DNS) on the
client_addrIP address. - Any client operations would be granted unauthenticated access with the policies linked to the default token (without passing a token in the request).
- Consul will listen and respond to client operations (HTTP and DNS) on the
- Although this configuration will work as expected, there are also unintended security implications.
Remediation
Tenable suggests a few ways to solve this problem. Below we'll go over how to address them in the Consul configuration.
Limiting Client Operations to Local Host
- It is important to understand which network interface Consul listens on to respond to client operations requests. This network interface will be the IP that the security scanner will be scanning against. The following is a reference to
-clientcommand-line flag which is equivalent toclient_addr.
-client- The address to which Consul will bind client interfaces, including the HTTP and DNS servers. By default, this is "127.0.0.1", allowing only loopback connections. In Consul 1.0 and later this can be set to a space-separated list of addresses to bind to, or a go-sockaddr template that can potentially resolve to multiple addresses.
- Setting the
client_addrinterface will allow for the Consul client to listen for client operations including HTTP requests [including API and Consul User interface (UI)] and DNS requests.
Configuring Access Control List (ACL) for the Consul Agent
Two types of tokens are responsible for client requests when a token is not specified. If you would like more details, please refer to the knowledge base article Default Token and Anonymous Token Relationship.
- In this example, we will be focusing on utilizing the Anonymous Token.
Example Secure Configuration
# Commenting outclient_addrwill default to loopback interface
# client_addr = "{{GetInterfaceIP \"ens5\"}}"
ui_config {
enabled = true
}
acl {
enabled = true
default_policy = "deny"
down_policy = "extend-cache"
tokens {
agent = "cf5940bf-72bd-b794-966a-83bc9efd5fc2"
}
}
- Notable highlights of this configuration
- Client operations are limited to the loopback interface by default as it is commented out.
- Protected as ACL policy, default_policy = "deny"
-
Since no default token is specified, the anonymous token will be passed to the tenable scanner.
- The anonymous token has no ACL policies attached to it by default.
However, the setting would not allow Consul UI to be accessible from your workstation browser. More often your configuration for client_addr should be set to a private network interface IP address that is reachable within the network.
Additional information
- Agents Command-line Reference -client
- Agents Configuration File Reference General Parameters
- ACL Tokens