Consul API publicly exposed
Description
Consul is a service mesh and service discovery platform that manages network configurations and service-to-service communication across distributed systems.
This vulnerability occurs when the Consul HTTP API is exposed to the public internet without proper access controls. The Consul API is designed to operate within trusted network boundaries and should never be directly accessible from untrusted networks. Public exposure allows unauthorized users to query cluster information, service configurations, and potentially modify the Consul state.
Remediation
Immediately restrict access to the Consul API by implementing the following controls:
1. Configure firewall rules or security groups to block public internet access to Consul ports (default: 8500 for HTTP, 8501 for HTTPS)
2. Ensure Consul is only accessible from trusted internal networks or through a VPN
3. Enable Consul ACLs (Access Control Lists) to enforce authentication and authorization:
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
}
4. If external access is required, implement a reverse proxy with authentication (such as OAuth2 or mutual TLS) in front of the Consul API
5. Use TLS encryption for all Consul communications and disable the HTTP endpoint in favor of HTTPS only
6. Regularly audit Consul access logs for unauthorized access attempts