We’ve recently become aware of a set of malware targeting Consul nodes with a specific configuration which allows remote code execution. Members of our community also (responsibly) reported incidents caused by this malware, and worked with us to include a patch in a recent version of Consul that protects from this threat in the wild. This post details how this malware may affect users, depending on their configuration, as well as outlines the steps we’ve taken to backport a patch for versions 1.2.4, 1.1.1, 1.0.8, and 0.9.4 to make it easy for older versions of Consul to be secured without a major version upgrade.
You should take action if you have -enable-script-checks set to true, or are running Consul 0.9.0 or earlier, and the Consul API is available on an interface that can be accessed over the network. Upgrade to one of the versions linked below. Change -enable-script-checks to -enable-local-script-checks on Consul agents if script checks are required.
Disable script checks on Consul servers. Ensure the Consul HTTP API is bound to a loopback interface instead of one publicly accessible. Enable ACLs if not already enabled.
Source: hashicorp.com