Hashicorp Consul Web UI and API access

High Nessus Plugin ID 111351

Synopsis

Hashicorp Consul Web UI and API is accessible remotely if not configured properly.

Description

A remote, unauthenticated attacker may able to access Consul Web UI and API to gather data, register services and gain remote access.

Solution

Only allow localhost connections, set up firewall and ACLs.

See Also

https://www.consul.io/docs/internals/security.html

https://www.consul.io/api/acl.html

Plugin Details

Severity: High

ID: 111351

File Name: hashicorp_consul_web_api.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 2018/07/26

Modified: 2018/07/27

Dependencies: 10107

Risk Information

Risk Factor: High

CVSS Score Source: manual

CVSS Score Rationale: Nvd has no score for this cve. tenable research analyzed the issue and assigned one.

CVSSv2

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSSv3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H