HCSEC-2020-05 - Nomad's mTLS Authorization Mechanism Susceptible to Privilege Escalation

Bulletin ID: HCSEC-2020-05
Affected Products / Versions: Nomad and Nomad Enterprise, up to 0.10.2; fixed in 0.10.3.
Publication Date: 24 January, 2020

Summary
Nomad and Nomad Enterprise (“Nomad”) up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Assigned CVE-2020-7956, this vulnerability was fixed in Nomad 0.10.3.

Background
Securing Nomad’s cluster communication is not only important for security but can even ease operations by preventing mistakes and misconfigurations. Nomad optionally uses mutual TLS (mTLS) for all HTTP and RPC communication. See Enable TLS Encryption for Nomad for more information.

Details
It was observed that Nomad incorrectly validated the role/region associated with TLS certificates used for mTLS RPC, and was susceptible to privilege escalation.

Remediation
Customers should upgrade to Nomad or Nomad Enterprise 0.10.3, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by an external party who reported it privately to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.