HashiCorp Consul Agent-to-Agent TLS Communication Server Hostname Verification Vulnerability [CVE-2019-9764]
CVE Number – CVE-2019-9764
A vulnerability in HashiCorp Consul could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system.The vulnerability exists because the affected software is missing the agent-to-agent Transport Layer Security (TLS) communication server hostname verification functionality. An attacker could exploit this vulnerability by executing a man-in-the-middle attack to bypass access restrictions on a targeted system. A successful exploit could allow the attacker to bypass hostname-based TLS verification controls on a targeted system.HashiCorp has confirmed the vulnerability and released software updates.
Analysis
- A successful exploit of this vulnerability could allow the attacker to gain unauthorized access to the targeted system, which the attacker could use to conduct further attacks.
Safeguards
- Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor affected systems.
Vendor Announcements
- HashiCorp has released an issue report at the following link: Issue 5519
Fixed Software
- HashiCorp has released a software update at the following link: HashiCorp Consul 1.4.4
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.