Login Sign Up

CVE-2021-43415

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated users with job submission capabilities in HashiCorp Nomad to bypass configured allowed image paths when using the QEMU task driver. Attackers could execute arbitrary QEMU images outside the allowed paths, potentially leading to code execution. Affected systems are HashiCorp Nomad and Nomad Enterprise deployments with QEMU task driver enabled.

💻 Affected Systems

Products:
  • HashiCorp Nomad
  • HashiCorp Nomad Enterprise
Versions: Up to 1.0.13, 1.1.7, and 1.2.0
Operating Systems: All platforms running Nomad
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when QEMU task driver is enabled and configured with allowed image paths

📦 What is this software?

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

Nomad by Hashicorp

View all CVEs affecting Nomad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attackers could execute arbitrary malicious QEMU images, leading to full compromise of Nomad nodes, lateral movement within the cluster, and potential data exfiltration.

🟠

Likely Case

Privileged users could bypass security controls to run unauthorized QEMU images, potentially introducing malware or compromising workload isolation.

🟢

If Mitigated

With proper network segmentation and least-privilege access, impact would be limited to the compromised job's scope and isolated from critical systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with job submission permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.14, 1.1.8, and 1.2.1

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288

Restart Required: Yes

Instructions:

1. Backup Nomad configuration and data. 2. Download patched version from HashiCorp releases. 3. Stop Nomad service. 4. Replace binary with patched version. 5. Restart Nomad service. 6. Verify cluster health.

🔧 Temporary Workarounds

Disable QEMU task driver

all

Temporarily disable the QEMU task driver if not required

nomad agent -config /path/to/config.hcl (with qemu plugin disabled)

Restrict job submission permissions

all

Apply strict ACL policies to limit who can submit QEMU jobs

nomad acl policy apply -name restrictive-qemu

🧯 If You Can't Patch

  • Implement strict network segmentation for Nomad nodes running QEMU workloads
  • Enforce mandatory image signing and verification for all QEMU images

🔍 How to Verify

Check if Vulnerable:

Check Nomad version with 'nomad version' and verify if QEMU task driver is enabled in configuration

Check Version:

nomad version

Verify Fix Applied:

Confirm version is 1.0.14+, 1.1.8+, or 1.2.1+ and test that allowed image path restrictions are enforced

📡 Detection & Monitoring

Log Indicators:

  • QEMU job submissions with unusual image paths
  • Failed allowed path validation attempts
  • Unexpected QEMU process execution

Network Indicators:

  • Unusual outbound connections from Nomad nodes
  • Downloads from unauthorized image repositories

SIEM Query:

source="nomad" AND ("qemu" OR "allowed_paths") AND ("bypass" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2021-43415
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: December 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON