CVE-2020-7956: Privilege escalation due to incorrect certificate validation for role/region

[schmichael]

Vulnerability ID: CVE-2020-7956
Versions: Previous versions of Nomad and Nomad Enterprise; fixed in 0.10.3.

Nomad 0.10.3 includes a fix for a privilege escalation vulnerability in validating TLS certificates for RPC with mTLS. Nomad RPC endpoints validated that TLS client certificates had not expired and were signed by the same CA as the Nomad node, but did not correctly check the certificate's name for the role and region as described in the Securing Nomad with TLS guide. This allows trusted operators with a client certificate signed by the CA to send RPC calls as a Nomad client or server node, bypassing access control and accessing any secrets available to a client.

Nomad clusters configured for mTLS following the Securing Nomad with TLS guide or the Vault PKI Secrets Engine Integration guide
should already have certificates that will pass validation. Before upgrading to Nomad 0.10.3, operators using mTLS with verify_server_hostname = true should confirm that the common name or SAN of all Nomad client node certs is client..nomad, and that the common name or SAN of all Nomad server node certs is server..nomad.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.