Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-15928: Disabled raw_exec Driver Usage #6431

Closed
notnoop opened this issue Oct 7, 2019 · 1 comment
Closed

CVE-2019-15928: Disabled raw_exec Driver Usage #6431

notnoop opened this issue Oct 7, 2019 · 1 comment

Comments

@notnoop
Copy link
Contributor

notnoop commented Oct 7, 2019
edited
Loading

Following a user report, we discovered that in some cases raw_exec driver can be invoked even if it is disabled on the client. An authorized user may run a task with higher privileges than operators have configured for the cluster. This vulnerability affects Nomad versions 0.8.0 and later, both OSS and Enterprise, in Nomad clusters where a single job specification contains a task group whose tasks have multiple task drivers, one of which is raw_exec.

This issue outlines details about this vulnerability and describes steps for remediation.

Background

By default, nomad raw_exec driver is disabled, as it runs task processes as root without constraints. Operators need to explicitly enable by a config option to allow raw_exec drivers task. A combination of two bugs allow operators to run raw_exec tasks even if the operator disabled it.

The first bug is in the scheduler handling of jobs with multiple required drivers. Nomad scheduler should only schedule them on nodes with these drivers present and healthy. The bug in the scheduler causes Nomad to ignore this check, and assign the allocation to a client with missing drivers. In typical scenarios, the resulting allocation would typically fail to launch due to missing drivers.

The second bug is that though the raw_exec driver is disabled, it is still loaded and available to client. If a raw_exec task is erroneously assigned to a Nomad client, the client runs the task even if raw_exec was disabled on that client.

Nomad version 0.9.6 fixes both of these bugs. It ensures that the scheduler checks for health of all drivers in job properly, and that raw_exec driver may not start any tasks if it is disabled.

Remediation

Operators should update Nomad servers to version 0.9.6 to patch this vulnerability. Alternatively, operators can ensure raw_exec driver isn't loaded using the driver.blacklist option:

client {
  options = {"driver.blacklist" = "raw_exec"}
}
@notnoop notnoop changed the title reserved 6227 CVE-2019-15928: Disabled raw_exec Driver Usage Oct 8, 2019
@notnoop notnoop closed this as completed Oct 8, 2019
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@notnoop