HCSEC-2024-27 - Nomad Vulnerable To Cross-Namespace Volume Creation Abusing CSI Write Permission

Security
1

Bulletin ID: HCSEC-2024-27
Affected Products / Versions:
Nomad Community Edition from 1.3.0 up to 1.9.1, fixed in 1.9.2.
Nomad Enterprise from 1.3.0 up to 1.9.1, 1.8.6, 1.7.14, fixed in 1.9.2, 1.8.7, and 1.7.15.

Publication Date: November 7, 2024

Summary
Nomad Community and Nomad Enterprise (“Nomad”) volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.

Background
Nomad’s storage plugin allows scheduling tasks with externally created storage volumes. The Nomad volume specification defines the schema for creating and registering volumes using the volume create and volume register commands. The volume create command creates external storage volumes with Nomad’s Container Storage Interface (CSI) support for plugins that implement the Controller interface. When ACLs are enabled, this command requires a token with the csi-write-volume capability for the volume’s namespace.

Details
The vulnerability is exploitable when a user with csi-write-volume capability in a namespace attempts to create or register an external storage volume using the Nomad volume create or volume register command. A flaw in authorization checks as implemented allowed an attacker to create volumes across namespaces, bypassing intended ACLs by:

  • setting the namespace field in the volume spec to the target namespace the user doesn’t have permissions to, while also
  • setting the -namespace for the command line (or API) to the namespace the user does have permissions to

Remediation
Customers using the volume create or volume register commands should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.2, 1.8.7, 1.7.15, or newer.

Please refer to Upgrading Nomad for general guidance and the Upgrade Guides for version-specific upgrade notes.

Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.