To Consul or Not To Consul (CVE-2022-29153)
OSRU @ Ronin //
The Offensive Security Research Unit at RONIN.AE discovered and responsibly disclosed a security vulnerability affecting HashiCorp’s Consul & Consul Enterprise all versions up to 1.9.16, 1.10.9, and 1.11.4; and was fixed in 1.9.17, 1.10.10, and 1.11.5.
At RONIN.AE our Security Engineering team works side by side with our Offensive Security Research Unit, both with a deep rooted philosophy of ethical research and disclosure. The teams perform regular threat modeling for our clients AND on our own internal platforms and systems. Our joint goal is to build secure, stable and scalable solutions to serve our flagship products and our customers.
Whilst evaluating the security of a new and upcoming solution that RONIN.AE is about to launch, we focused our attention on some underlying components, such as Hashicorp’s Consul & Consul Enterprise. The team discovered that Consul’s HTTP health check may allow server side request forgery (SSRF), RONIN.AE immediately consulted with Hashicorp’s security team, and reported the discoveries as a vulnerability. RONIN.AE was excited to note the speed and professionalism of HashiCorp security team in acknowledging the vulnerability and issuing a rapid CVE, including a security bulletin recommending customers & users to upgrade to latest versions.
The Ronin Engineering Team will be publishing a detailed walk through of the timeline and key engineering activities that lead to the discovery on Ronin’s Security Engineering Blog.