Login Sign Up

CVE-2020-27195

9.1 CRITICAL

📋 TL;DR

This vulnerability allows attackers to bypass the file sandbox feature in HashiCorp Nomad clients using template or artifact stanzas, potentially leading to arbitrary file access or code execution. It affects Nomad and Nomad Enterprise versions 0.9.0 through 0.12.5. Organizations using these versions with client file sandboxing enabled are at risk.

💻 Affected Systems

Products:
  • HashiCorp Nomad
  • HashiCorp Nomad Enterprise
Versions: 0.9.0 up to 0.12.5
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using client file sandbox feature with template or artifact stanzas.

📦 What is this software?

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Nomad client nodes allowing arbitrary code execution, data exfiltration, and lateral movement within the cluster.

🟠

Likely Case

Unauthorized file access on client nodes, potentially exposing sensitive configuration data or credentials.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access controls are implemented.

🌐 Internet-Facing: MEDIUM - Requires access to Nomad API endpoints, but many deployments expose these internally only.
🏢 Internal Only: HIGH - Internal attackers or compromised workloads can exploit this to escalate privileges within the cluster.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires submitting malicious job specifications to the Nomad API with appropriate permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.6, 0.11.5, or 0.10.6

Vendor Advisory: https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0126-october-21-2020

Restart Required: Yes

Instructions:

1. Download patched version from https://www.nomadproject.io/downloads 2. Stop Nomad services 3. Replace binaries with patched version 4. Restart Nomad services 5. Verify all nodes are running patched version

🔧 Temporary Workarounds

Disable vulnerable features

all

Temporarily disable template and artifact stanzas in job specifications

# Modify Nomad job files to remove template {} and artifact {} stanzas
# Update ACL policies to restrict job submission with these features

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Nomad clients from sensitive systems
  • Apply least privilege ACL policies to restrict job submission capabilities

🔍 How to Verify

Check if Vulnerable:

Check Nomad version with 'nomad version' command and verify if between 0.9.0 and 0.12.5 inclusive

Check Version:

nomad version

Verify Fix Applied:

Confirm version is 0.12.6, 0.11.5, or 0.10.6 using 'nomad version' command

📡 Detection & Monitoring

Log Indicators:

  • Unusual job submissions with template/artifact stanzas
  • File access violations in client logs
  • Unexpected process execution on client nodes

Network Indicators:

  • Suspicious API calls to Nomad servers from unexpected sources

SIEM Query:

source="nomad" AND ("template" OR "artifact") AND severity=WARN|ERROR

📊 Metadata

CVE ID: CVE-2020-27195
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: October 22, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON