Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad Search API Leaks Information About CSI Plugins #17906

Closed
tgross opened this issue Jul 11, 2023 · 0 comments
Closed

Nomad Search API Leaks Information About CSI Plugins #17906

tgross opened this issue Jul 11, 2023 · 0 comments
Labels
theme/security type/bug
Milestone
1.6.0

Comments

@tgross
Copy link
Member

tgross commented Jul 11, 2023
edited
Loading

Affected Products / Versions: Nomad and Nomad Enterprise 0.11 up to 1.5.6 and 1.4.1; fixed in 1.6.0, 1.5.7, and 1.4.11.

Summary:
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability, CVE-2023-3300, affects Nomad since 0.11 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Background:
Nomad provides a search HTTP API filtered by ACL policies so that unauthenticated users or users without the appropriate read/list permissions cannot search for objects they don't have access to. HTTP endpoints are used both internally by Nomad, and externally by administrators or operators to interact with the cluster, and are also secured using mTLS.

Details:
Internal testing by the Nomad engineering team identified it was possible to bypass intended ACL restrictions on the search API endpoint, which exposed only the names of CSI plugins configured in the cluster.

Nomad administrators should use mTLS for HTTP and RPC endpoints. More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.0, 1.5.7, and 1.4.11, or newer.

See Nomad’s Upgrading for general guidance on this process.
@tgross tgross added this to the 1.6.0 milestone Jul 11, 2023
lgfa29 pushed a commit that referenced this issue Jul 18, 2023
@tgross @lgfa29
search: fix ACL filtering for plugins and variables
e2300f1 
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
lgfa29 pushed a commit that referenced this issue Jul 18, 2023
@tgross @lgfa29
search: fix ACL filtering for plugins and variables
4d34954 
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
lgfa29 pushed a commit that referenced this issue Jul 18, 2023
@tgross @lgfa29
search: fix ACL filtering for plugins and variables
7eba8cf 
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
@lgfa29 lgfa29 closed this as completed in a8789d3 Jul 19, 2023
@EtienneBruines EtienneBruines mentioned this issue Jul 19, 2023
Merged
12 tasks
@tgross tgross changed the title (placeholder) Nomad Search API Leaks Information About CSI Plugins Jul 19, 2023
EtienneBruines added a commit to EtienneBruines/nixpkgs that referenced this issue Jul 20, 2023
@EtienneBruines
nomad_1_5: 1.5.6 -> 1.5.7
71e5713 
https://github.com/hashicorp/nomad/releases/tag/v1.5.7

CVE notes from upstream:

acl: Fixed a bug where a namespace ACL policy without label was applied to an unexpected namespace. CVE-2023-3072 [hashicorp/nomad#17908]
search: Fixed a bug where ACL did not filter plugin and variable names in search endpoint. CVE-2023-3300 [hashicorp/nomad#17906]
sentinel (Enterprise): Fixed a bug where ACL tokens could be exfiltrated via Sentinel logs CVE-2023-3299 [hashicorp/nomad#17907]
EtienneBruines added a commit to EtienneBruines/nixpkgs that referenced this issue Jul 20, 2023
@EtienneBruines
nomad_1_5: 1.5.6 -> 1.5.7
d345dda 
https://github.com/hashicorp/nomad/releases/tag/v1.5.7

CVE notes from upstream:

acl: Fixed a bug where a namespace ACL policy without label was applied to an unexpected namespace. CVE-2023-3072 [hashicorp/nomad#17908]
search: Fixed a bug where ACL did not filter plugin and variable names in search endpoint. CVE-2023-3300 [hashicorp/nomad#17906]
sentinel (Enterprise): Fixed a bug where ACL tokens could be exfiltrated via Sentinel logs CVE-2023-3299 [hashicorp/nomad#17907]
jrasell pushed a commit that referenced this issue Jul 26, 2023
@tgross @jrasell
search: fix ACL filtering for plugins and variables
e63565b 
ACL permissions for the search endpoints are done in three passes. The
first (the `sufficientSearchPerms` method) is for performance and coarsely
rejects requests based on the passed-in context parameter if the user has no
permissions to any object in that context. The second (the
`filteredSearchContexts` method) filters out contexts based on whether the user
has permissions either to the requested namespace or again by context (to catch
the "all" context). Finally, when iterating over the objects available, we do
the usual filtering in the iterator.

Internal testing found several bugs in this filtering:
* CSI plugins can be searched by any authenticated user.
* Variables can be searched if the user has `job:read` permissions to the
  variable's namespace instead of `variable:list`.
* Variables cannot be searched by wildcard namespace.

This is an information leak of the plugin names and variable paths, which we
don't consider to be privileged information but intended to protect anyways.

This changeset fixes these bugs by ensuring CSI plugins are filtered in the 1st
and 2nd pass ACL filters, and changes variables to check `variable:list` in the
2nd pass filter unless the wildcard namespace is passed (at which point we'll
fallback to filtering in the iterator).

Fixes: CVE-2023-3300
Fixes: #17906
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/security type/bug
Projects
None yet
Milestone
1.6.0
Development

No branches or pull requests
1 participant
@tgross