HCSEC-2021-21 - Nomad Raft RPC Privilege Escalation

Bulletin ID: HCSEC-2021-21
Affected Products / Versions: Nomad and Nomad Enterprise through 1.1.3; fixed in 1.0.10 and 1.1.4.
Publication Date: September 1, 2021

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that client agents can escalate privileges by directly communicating with the server agent’s Raft RPC layer. This vulnerability, CVE-2021-37218, was fixed in Nomad 1.0.10 and 1.1.4.

Nomad uses mTLS for agent communication between Nomad client and server agents. This provides an encrypted and authenticated RPC channel. A subset of the available server RPC functionality is meant to be exposed to client agents, with the others intended for server agent usage only.

During internal testing, it was observed that using a non-server certificate from the configured Nomad CA enables access to server-only Raft RPC functionality.

Nomad’s RPC authentication logic has been modified to correctly enforce server-only access for the Raft RPC layer.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.10, 1.1.4, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

This issue was identified by the HashiCorp engineering & product security teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.