HCSEC-2023-21 - Nomad Caller ACL Token's Secret ID is Exposed to Sentinel

Bulletin ID: HCSEC-2023-21
Affected Products / Versions: Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10; fixed in 1.6.0, 1.5.7, and 1.4.11.
Publication Date: July 19, 2023

Summary
A vulnerability was identified in Nomad Enterprise such that the API caller’s ACL token secret ID is exposed to Sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad Enterprise from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Background
Nomad Enterprise provides an expressive policy-as-code system called Sentinel which can be used by administrators to enforce criteria for jobs submitted to a cluster. Authoring or enforcing these Sentinel policies in a cluster requires management-level (administrative) privileges.

Details
Internal testing by the Nomad engineering team identified that Sentinel policies could access a caller’s ACL token secret ID, which is not strictly required to enforce policies.

This may allow a poorly specified policy to access the token’s secret ID and risk leaking it to command and API output if printed. Exploitation requires a management token to submit a Sentinel policy to a Nomad cluster, with the policy explicitly reading the secret from the token as nomad_acl_token.secret_id.

More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad Enterprise 1.6.0, 1.5.7, and 1.4.11, or newer.

See Nomad’s Upgrading for general guidance on this process.

Acknowledgement
This issue was identified by the Nomad engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.