Login Sign Up

CVE-2021-37218

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows non-server agents in HashiCorp Nomad clusters to access server-only Raft RPC functionality, enabling privilege escalation. Any Nomad deployment using TLS certificates signed by the same Certificate Authority is affected. Attackers with valid client certificates can perform unauthorized administrative actions.

💻 Affected Systems

Products:
  • HashiCorp Nomad
  • HashiCorp Nomad Enterprise
Versions: All versions before 1.0.10 and 1.1.4
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using TLS with certificates signed by the same CA. Non-TLS deployments are not affected.

📦 What is this software?

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster compromise allowing attackers to deploy malicious jobs, access sensitive data, modify cluster configuration, and disrupt all Nomad operations.

🟠

Likely Case

Unauthorized job deployment, data access, and configuration changes leading to service disruption and potential data exfiltration.

🟢

If Mitigated

Limited impact if network segmentation restricts RPC access and certificate management is tightly controlled.

🌐 Internet-Facing: MEDIUM - Requires valid TLS certificates but RPC endpoints may be exposed.
🏢 Internal Only: HIGH - Internal attackers with valid certificates can easily exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a valid TLS certificate signed by the cluster's CA, which attackers may obtain through various means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.10 or 1.1.4

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023

Restart Required: Yes

Instructions:

1. Backup Nomad configuration and data. 2. Download and install Nomad 1.0.10 or 1.1.4. 3. Restart all Nomad server and client agents. 4. Verify cluster health and functionality.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to Nomad server RPC endpoints (default port 4647) to only trusted server nodes.

iptables -A INPUT -p tcp --dport 4647 -s <trusted_server_ips> -j ACCEPT
iptables -A INPUT -p tcp --dport 4647 -j DROP

Certificate Management

all

Implement strict certificate management with short-lived certificates and regular rotation.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Nomad server RPC endpoints
  • Enforce certificate revocation and rotation policies to limit exposure window

🔍 How to Verify

Check if Vulnerable:

Check Nomad version with 'nomad version' and verify if below 1.0.10 or 1.1.4

Check Version:

nomad version

Verify Fix Applied:

Confirm version is 1.0.10 or higher (1.0.x) or 1.1.4 or higher (1.1.x) and test RPC access controls

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized RPC access attempts
  • Unexpected administrative actions from non-server nodes
  • Certificate validation failures

Network Indicators:

  • RPC traffic from non-server IP addresses
  • Unusual port 4647 connections

SIEM Query:

source="nomad" AND (event="rpc_access_denied" OR event="unauthorized_rpc")

📊 Metadata

CVE ID: CVE-2021-37218
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
Published: September 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37218, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)