Hashicorp Consul API is accessible without authentication
Description
The HashiCorp Consul API is accessible without requiring authentication. Consul is a service mesh solution that provides service discovery, configuration, and segmentation functionality. When the API is exposed without proper authentication controls, unauthorized users can query cluster information, retrieve service configurations, and potentially access sensitive data. In certain configurations where remote execution is enabled, this exposure may allow attackers to execute arbitrary commands on the server.
Remediation
Implement the following security controls to protect the HashiCorp Consul API:
1. Enable ACL (Access Control List) authentication: Configure Consul to require authentication tokens for all API requests by setting up the ACL system in your Consul configuration file:
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
}2. Disable remote execution: Prevent remote command execution by setting the following option in your Consul agent configuration:
disable_remote_exec = true
3. Restrict network access: Use firewall rules or network segmentation to limit API access to trusted IP addresses and networks only. Ensure the Consul API (default port 8500) is not exposed to the public internet.
4. Enable TLS encryption: Configure TLS for all Consul communications to prevent eavesdropping and man-in-the-middle attacks.
After implementing these changes, restart the Consul agents and verify that unauthenticated access is blocked.