CVE-2023-0845 : What You Need to Know
Learn about CVE-2023-0845 impacting HashiCorp's Consul platforms. Authenticated users with specific permissions could crash server and client agents, leading to a DoS condition.
This article provides detailed information about CVE-2023-0845, which affects Consul and Consul Enterprise platforms by HashiCorp.
Understanding CVE-2023-0845
CVE-2023-0845 is a vulnerability impacting Consul and Consul Enterprise platforms by HashiCorp. This vulnerability allowed an authenticated user with specific permissions to trigger a workflow that could lead to Consul server and client agents crashing under certain circumstances.
What is CVE-2023-0845?
The CVE-2023-0845 vulnerability in Consul and Consul Enterprise platforms allowed an authenticated user with service:write permissions to crash Consul server and client agents by triggering a specific workflow. The issue was resolved in Consul version 1.14.5.
The Impact of CVE-2023-0845
The impact of CVE-2023-0845 is significant as it can lead to a denial of service (DoS) condition on affected systems. An attacker with access to an ACL token with service:write permissions could exploit this vulnerability to disrupt Consul operations.
Technical Details of CVE-2023-0845
This section delves into the technical aspects of CVE-2023-0845, including vulnerability description, affected systems and versions, and exploitation mechanism.
Vulnerability Description
CVE-2023-0845 is categorized as CWE-476: Null Pointer Dereference. It stems from a flaw that allows an authenticated user to crash Consul server and client agents through a triggered workflow.
Affected Systems and Versions
The vulnerability impacts HashiCorp's Consul and Consul Enterprise platforms across various platforms, including 64 bit, 32 bit, x86, ARM, MacOS, Windows, and Linux. The affected versions include 1.14.0 to 1.14.4.
Exploitation Mechanism
To exploit CVE-2023-0845, an attacker must possess an ACL token with service:write permissions. Additionally, there must be at least one running ingress or API gateway configured to route traffic to an upstream service.
Mitigation and Prevention
To mitigate the risks associated with CVE-2023-0845, immediate steps can be taken along with long-term security practices and patching procedures.
Immediate Steps to Take
- Upgrade affected Consul and Consul Enterprise platforms to version 1.14.5 or later.
- Review and limit access to ACL tokens with sensitive permissions.
- Monitor for any unusual activities on Consul servers.
Long-Term Security Practices
- Implement the principle of least privilege for user permissions.
- Regularly update and patch software to address known vulnerabilities.
- Conduct security audits and assessments regularly to identify potential risks.
Patching and Updates
HashiCorp has released the fix for CVE-2023-0845 in Consul version 1.14.5. It is recommended to apply this update promptly to secure the platforms against this vulnerability.