======================================================================

                             CERT-Renater

                Note d'Information No. 2024/VULN550
_____________________________________________________________________

DATE                : 20/12/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nomad Community Edition versions
                                     prior to 1.9.4,
               Nomad Enterprise versions prior to 1.9.4, 1.8.8, 1.7.16.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2024-29-nomad-allocations-vulnerable-to-privilege-escalation-within-a-namespace-using-unredacted-workload-identity-token/72119
_____________________________________________________________________


HCSEC-2024-29 - Nomad Allocations Vulnerable To Privilege Escalation
Within A Namespace Using Unredacted Workload Identity Token

Security
security-nomad

dduzgun-security December 20, 2024, 1:47am 1

Bulletin ID: HCSEC-2024-29

Affected Products / Versions:
Nomad Community Edition from 1.4.0 up to 1.9.3, fixed in 1.9.4.
Nomad Enterprise from 1.4.0 up to 1.9.3, 1.8.7, 1.7.15, fixed in
1.9.4, 1.8.8, and 1.7.16.


Publication Date: December 19, 2024

Summary
Nomad Community and Nomad Enterprise (“Nomad”) allocations are
vulnerable to privilege escalation within a namespace through
unredacted workload identity tokens. This vulnerability, identified
as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and
Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.


Background
Every workload running in Nomad is given a default identity. When an
allocation is accepted by the scheduler, the leader generates a
Workload Identity for each task in the allocation. This workload
identity is a JSON Web Token (JWT) that has been signed by the
leader’s keyring. Additional workload identities may be defined
in tasks and services using the identity block.

You can associate additional ACL policies with workload identities
by passing the -job, -group, and -task flags to nomad acl policy
apply. When Nomad resolves a workload identity claim, it will
automatically include policies that match. If no matching policies
exist, the workload identity does not have any additional capabilities.

Details
Accessing HashiCorp Nomad allocations through the Read Allocation
API or alloc command includes a Workload Identity token which offers
access to the workload-associated variables and service discovery.
When combined with the workload associated with ACL policies, a user
with namespace:read access can potentially escalate privileges and
access additional policies for any workload within the namespace.


Remediation
Customers should evaluate the risk associated with this issue and
consider upgrading to Nomad 1.9.4, 1.8.8, 1.7.16, or newer.

Please refer to Upgrading Nomad for general guidance and the Upgrade
Guides for version-specific upgrade notes.


Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.

We deeply appreciate any effort to coordinate disclosure of security
vulnerabilities. For information about security at HashiCorp and
the reporting of security vulnerabilities, please see
https://hashicorp.com/security.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================