CVE-2019-12291 Explained : Impact and Mitigation

HashiCorp Consul versions 1.4.0 through 1.5.0 have an access control issue that allows tokens with specific policies to delete keys not matching the ACL rule for prefix matching.

Understanding CVE-2019-12291

This CVE involves a vulnerability in HashiCorp Consul versions 1.4.0 through 1.5.0 that impacts access control mechanisms.

What is CVE-2019-12291?

The vulnerability in HashiCorp Consul versions 1.4.0 through 1.5.0 allows tokens with specific policies to delete keys that do not match the ACL rule for prefix matching, even when default deny settings are configured.

The Impact of CVE-2019-12291

This vulnerability could potentially lead to unauthorized deletion of keys within HashiCorp Consul, compromising data integrity and security.

Technical Details of CVE-2019-12291

This section provides more technical insights into the CVE.

Vulnerability Description

HashiCorp Consul versions 1.4.0 through 1.5.0 have an Incorrect Access Control issue where keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token with that policy, even with default deny settings configured.

Affected Systems and Versions

Product: HashiCorp Consul
Versions: 1.4.0 through 1.5.0

Exploitation Mechanism

The vulnerability allows tokens with specific policies to delete keys that do not match the ACL rule for prefix matching, bypassing default deny settings.

Mitigation and Prevention

Protect your systems from CVE-2019-12291 with the following steps:

Immediate Steps to Take

Update HashiCorp Consul to a patched version.
Review and adjust access control policies to prevent unauthorized key deletions.

Long-Term Security Practices

Regularly review and update access control configurations.
Monitor key deletion activities for any suspicious behavior.

Patching and Updates

Ensure timely patching and updates for HashiCorp Consul to address the access control vulnerability.