Bulletin ID: HCSEC-2020-23
Affected Products / Versions: Nomad and Nomad Enterprise 0.9.0 through 0.12.7; fixed in 0.12.8, 0.11.7, and 0.10.8.
Publication Date: 11 November, 2020
Summary
A vulnerability, CVE-2020-28348, was discovered in Nomad and Nomad Enterprise (“Nomad”) such that an operator with job submission capabilities can mount the host file system of a client agent and subvert the default Docker file sandbox feature when not explicitly disabled or when using a volume mount type.
Background
Nomad disables host filesystem access by default to prevent job operators from accessing the client filesystem used to persistently store any required data on disk. The Docker task driver provides a volume mount type which can be used to access the client host filesystem from within a container, but clients must be configured to enable mounting directories outside an allocation’s path to prevent abuse from potentially untrusted operators.
Details
Issues were discovered internally and externally affecting Nomad’s file sandbox features using the Docker task driver. This can lead to operators with job submission capabilities can mount the host file system of a client agent and subvert the default Docker file sandbox feature when not explicitly disabled or when using a volume mount type.
For 0.12.0 through 0.12.7, the intended default deny configuration for volume access was not respected unless explicitly declared in the client configuration.
This issue is identified publicly as CVE-2020-28348.
Remediation
Customers should upgrade to Nomad or Nomad Enterprise 0.12.8, 0.11.7, 0.10.8, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by Florian Apolloner.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.