CVE-2021-37218 Nomad Raft RPC Privilege Escalation

[notnoop]

Summary:

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that client agents can privilege escalate by directly communicating with the server agent’s Raft RPC layer.

Background:

Nomad uses mTLS for agent communication between Nomad client and server agents. This provides an encrypted and authenticated RPC channel. A subset of the available server RPC functionality is meant to be exposed to client agents, with the others intended for server agent usage only.

Details:

During internal testing, it was observed that using a non-server certificate from the configured Nomad CA enables access to server-only Raft RPC functionality.

Nomad’s RPC authentication logic has been modified to correctly enforce server-only access for the Raft RPC layer.

Remediation:

Customers should upgrade to Nomad or Nomad Enterprise 1.0.10, 1.1.4, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.