HCSEC-2023-13 - Nomad Unauthenticated Client Agent HTTP Request Privilege Escalation

Bulletin ID: HCSEC-2023-13
Affected Products / Versions: Nomad and Nomad Enterprise 1.5.0 up to 1.5.2; fixed in 1.5.3.
Publication Date: April 5, 2023

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that an unauthenticated request sent to a client agent’s HTTP endpoint bypasses intended ACL authorizations when processed on server through internal RPCs. In doing so, unauthenticated HTTP requests can be used to submit a job to the cluster if there is no mTLS enabled. This vulnerability, CVE-2023-1782, affects Nomad from 1.5.0 up to 1.5.2 and was fixed in 1.5.3.

Nomad server and client agents provide HTTP and RPC endpoints (ports 4646 and 4647 respectively). The RPC endpoints are exclusively used for internal Nomad communication and are secured using mTLS. The HTTP endpoints are used both internally by Nomad, and externally by administrators or operators to interact with the cluster, and are also secured using mTLS.

Automated tooling by our security team identified it was possible to bypass ACL restrictions when submitting unauthenticated requests to a Nomad client agent’s HTTP endpoint. This behavior may be used by a malicious operator or third party with access to this endpoint.

Nomad administrators should always use mTLS for HTTP and RPC endpoints. More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.5.3, or newer.

See Nomad’s Upgrading for general guidance on this process.

This issue was identified by the HashiCorp Security and Solutions Engineering teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.