HCSEC-2024-27 - Nomad Vulnerable To Cross-Namespace Volume Creation Abusing CSI Write Permission #24397
Comments
tgross
added a commit
that referenced
this issue
Nov 7, 2024
When creating or registering a CSI volume, the RPC handler uses the volume specification's namespace instead of the request namespace. This works as intended, but the ACL check is only on the request namespace. This allows a cross-namespace ACL bypass for authenticated users who have `csi-write-volume` capabilities in one namespace but not another namespace. Such a user can set the volume specification to a forbidden namespace while setting the `-namespace` flag in the CLI or API. The ACL check happens against the namespace they do have permission to, but the volume is created in the forbidden namespace. This changeset fixes the bug by moving the namespace check into the loop over the volumes being written by the RPCs. It also updates the tests to better cover ACL checking in these two RPCs. Ref: CVE-2024-10975 Ref: https://hashicorp.atlassian.net/browse/SECVULN-15463 Fixes: #24397
tgross
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bulletin ID: HCSEC-2024-27
Affected Products / Versions:
Nomad Community Edition from 1.3.0 up to 1.9.1, fixed in 1.9.2.
Nomad Enterprise from 1.3.0 up to 1.9.1, 1.8.6, 1.7.14, fixed in 1.9.2, 1.8.7, and 1.7.15.
Publication Date: November 7, 2024
Summary
Nomad Community and Nomad Enterprise (“Nomad”) volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15.
Background
Nomad’s storage plugin allows scheduling tasks with externally created storage volumes. The Nomad volume specification defines the schema for creating and registering volumes using the volume create and volume register commands. The volume create command creates external storage volumes with Nomad’s Container Storage Interface (CSI) support for plugins that implement the Controller interface. When ACLs are enabled, this command requires a token with the csi-write-volume capability for the volume’s namespace.
Details
The vulnerability is exploitable when a user with csi-write-volume capability in a namespace attempts to create or register an external storage volume using the Nomad volume create or volume register command. A flaw in authorization checks as implemented allowed an attacker to create volumes across namespaces, bypassing intended ACLs by:
setting the namespace field in the volume spec to the target namespace the user doesn’t have permissions to, while also
setting the -namespace for the command line (or API) to the namespace the user does have permissions to
Remediation
Customers using the volume create or volume register commands should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.2, 1.8.7, 1.7.15, or newer.
Please refer to Upgrading Nomad for general guidance and the Upgrade Guides for version-specific upgrade notes.
Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.
The text was updated successfully, but these errors were encountered: