CVE-2023-1299
📋 TL;DR
This vulnerability in HashiCorp Nomad allows job submitters to escalate privileges to management-level access using workload identity and task API features. It affects organizations running Nomad or Nomad Enterprise for container orchestration. Attackers could gain administrative control over the Nomad cluster.
💻 Affected Systems
- HashiCorp Nomad
- HashiCorp Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Nomad cluster allowing deployment of malicious workloads, data exfiltration, and lateral movement to connected systems.
Likely Case
Unauthorized job submissions, resource abuse, and potential data access through elevated privileges.
If Mitigated
Limited impact with proper network segmentation and minimal job submission permissions.
🎯 Exploit Status
Requires authenticated job submission access and knowledge of workload identity/task API features.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.1
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389
Restart Required: Yes
Instructions:
1. Backup Nomad configuration and data. 2. Download Nomad 1.5.1 from HashiCorp releases. 3. Stop Nomad service. 4. Replace binary with 1.5.1 version. 5. Restart Nomad service. 6. Verify cluster health.
🔧 Temporary Workarounds
Disable Workload Identity
allTemporarily disable workload identity feature until patching
nomad operator api /v1/operator/autopilot/configuration -X PUT -d '{"WorkloadIdentity": false}'
Restrict Job Submission
allLimit job submission permissions to trusted users only
Review and tighten ACL policies for job submission
🧯 If You Can't Patch
- Implement strict network segmentation for Nomad API endpoints
- Enable detailed audit logging for all job submission and management activities
🔍 How to Verify
Check if Vulnerable:
Check Nomad version: nomad version | grep -i versionCheck Version:
nomad versionVerify Fix Applied:
Verify version is 1.5.1 or higher: nomad version📡 Detection & Monitoring
Log Indicators:
- Unusual job submissions from non-admin users
- API calls to management endpoints from job submitter accounts
- Workload identity token requests followed by privilege escalation attempts
Network Indicators:
- Unusual API call patterns to /v1/operator endpoints from job submitter IPs
SIEM Query:
source="nomad" AND (event="job_submit" OR event="api_call") AND user.role="submitter" AND (endpoint="/v1/operator/*" OR action="management")