CVE-2019-12741: ACL Privilege Escalation in Nomad

[notnoop]

Following a user report, we discovered that in federated Nomad clusters with ACL replication enabled, a user with agent capability can gain management-level access in all federated clusters. This vulnerability affects Nomad versions since 0.7.0, both OSS and Enterprise.

This issue outlines details about this vulnerability and describes steps for remediation.

Background

Nomad supports federating multiple regions, with one serving as the authoritative region for the ACL system. Servers in non-authoritative regions replicate ACL policies and tokens using a management token from the authoritative region to be configured in the acl block.

Nomad agent exposes its state and configuration through /v1/agent/self endpoint, and it returns the replication token unredacted. An attacker with Agent.Read can lookup the replication token, and escalate their privilege to full management tokens on all regions. They may use their elevated access to create further management tokens or lookup info of other acl tokens for further use.

This vulnerability constitutes a serious unintentional leak of sensitive configuration, and Nomad 0.9.6 will return “” as the value for this token when querying the API.

Remediation

Operators should upgrade to 0.9.6. Only Nomad servers need the replication token set, so operators should also verify clients don’t have this configuration option set to limit the spread of sensitive tokens. If only the servers have the replication token set, then only the servers need to be updated to patch the vulnerability. It is advised that operators rotate the replication token if set.

Operators can also audit their policies and drop agent capabilities, except for those with effectively management-level access.

[attritionorg]

Apologies for replying to an old issue, but can you verify that CVE ID please?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12741
hapifhir/hapi-fhir@8f41159
hapifhir/hapi-fhir#1335
https://github.com/jamesagnew/hapi-fhir/releases/tag/v3.8.0

The vulnerability described in this issue sounds considerably different than a reflected XSS in HAPI-FHIR and I don't see that software included in Nomad based on a quick search. Thanks!
tag @notnoop

[tgross]

@attritionorg that does look wrong to me. The other CVEs from the same release show up as "reserved" on Mitre too. I'd need to follow up with our product security folks (cc @picatz) to dig up our internal records on that, as these versions are out of support for us and so not really on our radar right now.

[attritionorg]

@tgross Appreciate the quick follow-up. It's rare to see a duplicate assignment across products like this, as dupes tend to be within the same organization.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.