Privilege Escalation in Nomad via artifact stanza

[langmartin]

Nomad’s artifact stanza can be exploited by an untrusted operator to escalate to root privileges by exploiting setuid.

This vulnerability affects all versions of Nomad.

Background

To execute workloads, nomad uses task drivers that provide different resource isolation guarantees. The exec driver provides basic isolation by running tasks in a filesystem sandboxing environment, chroot, and as an unprivileged user, nobody,by default. These controls aim to restrict the task’s destructive access to the host.

In an internal review, we discovered that a malicious operator can use the artifact feature to escalate their privilege in exec driver to run tasks as root, to manipulate host filesystems, and perform destructive host operations. The operator can use an artifacts archive that contains an executable with setuid bit enabled to gain root access.

setuid is a Unix access rights flag that allows users to run executables with the permissions of the executable's owner. sudo, the widespread tool, uses setuid to run commands in temporary and controlled root privileges context. A malicious attacker can create an executable that escalate to root without sudo-like checks.

Nomad 0.9.5 fixes the attack vector by disabling setuid flag from any files downloaded through artifacts.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.