HCSEC-2021-14 - Nomad Bridge Networking Mode Allows ARP Spoofing From Other Bridged Tasks On Same Node

Bulletin ID: HCSEC-2021-14
Affected Products / Versions: Nomad and Nomad Enterprise up to 1.0.4; fixed in 0.12.12, 1.0.5 and 1.1.0 RC1
Publication Date: May 12, 2021

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that Nomad’s bridge networking mode allows ARP spoofing from other bridged tasks on the same node. This vulnerability, CVE-2021-32575, affects all Nomad versions up to 1.0.4, and is fixed in the 0.12.12, 1.0.5 and 1.1.0 RC1 releases.

Nomad task drivers implement various levels of resource isolation. For network-level isolation, Nomad provides a bridge networking mode that will place tasks inside the same group inside an isolated network namespace. This network namespace is connected with the host using a virtual network interface through the CNI bridge plugin.

It was discovered that processes launched by the docker, exec, and java task drivers that make use of Nomad’s bridge networking mode can perform ARP spoofing attacks against other tasks on the same node. Specifically, tasks making use of bridge networking are susceptible to other tasks on the same node performing DoS and MITM attacks due to the default enablement of the CAP_NET_RAW Linux capability by these task drivers.

This affects all known versions of Nomad, but exposure is specific to Nomad clients running docker, exec, or java task drivers on Linux with tasks making use of bridge networking mode. Third-party driver plugins that use the shared library code may be similarly affected.

The fix may be considered breaking for some Nomad environments, as it disables the CAP_NET_RAW Linux capability by default for docker, exec, and java task drivers. Previous behavior can be restored for the docker task driver using the allow_caps plugin configuration option, and a future Nomad release will enable similar configurability for the exec and java task drivers.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 0.12.12, 1.0.5, 1.1.0 RC1, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

If unable to upgrade immediately, customers may consider disabling CAP_NET_RAW or further restricting the Linux capabilities granted by the Nomad docker task driver via the plugin allow_caps and job spec cap_add and cap_drop configuration options.

This issue was identified by the HashiCorp product security team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.