Consul Connect gRPC security

[bharadwajrembar]

Overview of the Issue

We enabled Connect on our Consul Cluster. When running a Nessus scan, the gRPC port 8502, serving the xDS Envoy server, showed the following vulnerabilities:

"The remote service accepts connections encrypted using SSL 2.0 and/or
SSL 3.0. These versions of SSL are affected by several cryptographic
flaws, including:

  - An insecure padding scheme with CBC ciphers.

  - Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle
attacks or to decrypt communications between the affected service and
clients.

Although SSL/TLS has a secure means for choosing the highest supported
version of the protocol (so that these versions will be used only if
the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade
a connection (such as in POODLE). Therefore, it is recommended that
these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure
communications. As of the date of enforcement found in PCI DSS v3.1,
any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'."

Reproduction Steps

Steps to reproduce this issue, eg:

nmap --script ssl* -p 8502 <host>

Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-07 17:01 UTC
Nmap scan report for cn-server1.example.com (xx.xx.xx.xx)
Host is up (0.000049s latency).

PORT     STATE SERVICE
8502/tcp open  ftnmtp
| ssl-cert: Subject: commonName=cn-server1.example.com
| Subject Alternative Name: DNS:cn-server1.example.com, DNS:server.us-east-1d.consul
| Issuer: commonName=example.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-09-10T14:05:53
| Not valid after:  2028-12-06T14:06:22
| MD5:   3664 8d98 c940 20a2 0aad 6124 17ba be93
|_SHA-1: cb37 1e98 db19 3531 186f 2092 93be 9d99 f7c1 edb3
|_ssl-date: TLS randomness does not represent time
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Forward Secrecy not supported by any cipher
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Forward Secrecy not supported by any cipher
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Forward Secrecy not supported by any cipher
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Forward Secrecy not supported by any cipher
|_  least strength: C
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown:

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

Consul info for both Client and Server

Client info

agent:
	check_monitors = 0
	check_ttls = 12
	checks = 53
	services = 53
build:
	prerelease = dev
	revision = d7d8e8bc
	version = 1.6.0
consul:
	acl = enabled
	known_servers = 3
	server = false
runtime:
	arch = amd64
	cpu_count = 16
	goroutines = 87271
	max_procs = 16
	os = linux
	version = go1.12.4
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 33
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 677
	members = 12
	query_queue = 0
	query_time = 1

^^ Custom binary

Server info

agent:
	check_monitors = 0
	check_ttls = 0
	checks = 3
	services = 3
build:
	prerelease =
	revision = 944cc710
	version = 1.6.0
consul:
	acl = enabled
	bootstrap = false
	known_datacenters = 1
	leader = false
	leader_addr = <ip>:8300
	server = true
raft:
	applied_index = 12257964
	commit_index = 12257964
	fsm_pending = 0
	last_contact = 47.866637ms
	last_log_index = 12257964
	last_log_term = 1348
	last_snapshot_index = 12255375
	last_snapshot_term = 1348
	latest_configuration = [{Suffrage:Voter ID:e4a8e6ea-5e99-6904-2f65-558491327f42 Address:<ip1>:8300} {Suffrage:Voter ID:f4e74d29-e8aa-c437-82e7-2da3964d3a0d Address:<ip2>:8300} {Suffrage:Voter ID:fb870b9c-b42d-e4d1-88b0-887627b33745 Address:<ip3>:8300}]
	latest_configuration_index = 110659
	num_peers = 2
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Follower
	term = 1348
runtime:
	arch = amd64
	cpu_count = 2
	goroutines = 2486
	max_procs = 2
	os = linux
	version = go1.12.8
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 33
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 677
	members = 12
	query_queue = 0
	query_time = 1
serf_wan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 35
	members = 3
	query_queue = 0
	query_time = 1

Operating system and Environment details

CentOS 7

Is it expected for the config to use SSL V2/3 ? Is there any way to remediate all of this?

[bharadwajrembar]

@armon @mitchellh Could you please have someone address the above if possible?

[mkeeler]

@bharadwajrembar Thanks for the report. This is in fact an issue and it will be addressed in an upcoming release. Currently there is no mitigation other than to disable the gRPC server by setting the port config to -1.

In the future please send potential vulnerability related security issues to [email protected] instead of posting in an issue on GitHub.

[bharadwajrembar]

Im sorry for that. Will do so in the future 👍

[schristoff]

Howdy -
It looks like this issue has been answered at this time. I am going to go ahead and close this issue. If you think it should remain open, please comment back and let us know why!

Thanks!