CVE-2022-24683
📋 TL;DR
This vulnerability allows operators with read-fs and alloc-exec (or job-submit) capabilities in HashiCorp Nomad to read arbitrary files on the host filesystem as root. This affects Nomad and Nomad Enterprise deployments where operators have these specific capabilities. The vulnerability enables privilege escalation from containerized environments to the host system.
💻 Affected Systems
- HashiCorp Nomad
- HashiCorp Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers with appropriate capabilities can read sensitive host files (including secrets, configuration files, SSH keys) and potentially use this access to pivot to other systems or gain full control of the Nomad cluster.
Likely Case
Malicious or compromised operators with the required capabilities can exfiltrate sensitive data from the host filesystem, potentially accessing credentials, certificates, or other confidential information.
If Mitigated
With proper role-based access control limiting read-fs and alloc-exec capabilities to trusted administrators only, the attack surface is significantly reduced.
🎯 Exploit Status
Exploitation requires authenticated access with specific capabilities. The vulnerability involves container escape techniques to access host filesystem.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.18, 1.1.12, 1.2.6, and later versions
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
Restart Required: Yes
Instructions:
1. Backup your Nomad configuration and data. 2. Download the patched version from HashiCorp's official releases. 3. Stop Nomad services. 4. Replace the Nomad binary with the patched version. 5. Restart Nomad services. 6. Verify the cluster is healthy and operating normally.
🔧 Temporary Workarounds
Capability Restriction
allRemove or restrict read-fs and alloc-exec capabilities from operators who don't absolutely need them. Implement least privilege access control.
# Review and update Nomad ACL policies to remove unnecessary capabilities
# Example: Modify policy.hcl to restrict capabilities
nomad acl policy apply -name restricted-policy policy.hcl
Network Segmentation
linuxIsolate Nomad nodes from sensitive systems and implement network controls to limit lateral movement.
# Configure firewall rules to restrict Nomad node communications
# Example iptables rule: iptables -A OUTPUT -d sensitive-subnet -j DROP
🧯 If You Can't Patch
- Implement strict role-based access control to limit read-fs and alloc-exec capabilities to only essential administrators
- Monitor for unusual file access patterns and implement enhanced logging for operators with these capabilities
🔍 How to Verify
Check if Vulnerable:
Check your Nomad version using 'nomad version' and compare against affected versions. Also verify operator capabilities in your ACL policies.Check Version:
nomad versionVerify Fix Applied:
After patching, run 'nomad version' to confirm you're running 1.0.18+, 1.1.12+, or 1.2.6+. Test that operators with appropriate capabilities can no longer access arbitrary host files.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from Nomad operators
- Multiple failed attempts to access restricted host paths
- Log entries showing container escape attempts
Network Indicators:
- Unexpected outbound connections from Nomad nodes following file access
- Data exfiltration patterns from Nomad infrastructure
SIEM Query:
source="nomad" AND ("read-fs" OR "alloc-exec") AND ("permission denied" OR "access denied")🔗 References
- https://discuss.hashicorp.com
- https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
- https://security.netapp.com/advisory/ntap-20220318-0008/
- https://discuss.hashicorp.com
- https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
- https://security.netapp.com/advisory/ntap-20220318-0008/
