CVE-2024-30128
📋 TL;DR
HCL Nomad server on Domino has an open proxy vulnerability allowing unauthenticated attackers to mask their source IP address. This enables attackers to trick users into revealing sensitive information through proxy requests. All HCL Nomad server deployments on Domino are affected.
💻 Affected Systems
- HCL Nomad server on Domino
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the server as a proxy to launch attacks against internal systems, bypass IP-based restrictions, and conduct credential harvesting campaigns while appearing to originate from the legitimate server.
Likely Case
Attackers will use the server as an anonymizing proxy to hide their true IP address while conducting phishing campaigns, credential theft, or scanning other systems.
If Mitigated
With proper network segmentation and access controls, the impact is limited to potential misuse of the server's network position, but sensitive data exposure is prevented.
🎯 Exploit Status
The vulnerability requires no authentication and can be exploited with standard HTTP proxy requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to HCL advisory KB0115504 for specific fixed versions
Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0115504
Restart Required: Yes
Instructions:
1. Review HCL advisory KB0115504. 2. Download and apply the appropriate patch for your Nomad server version. 3. Restart the Nomad server service. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the Nomad server to only trusted IP addresses or internal networks
Proxy Function Disable
allDisable proxy functionality in Nomad server configuration if not required
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Nomad server from sensitive systems
- Deploy network monitoring to detect proxy abuse patterns and anomalous outbound connections
🔍 How to Verify
Check if Vulnerable:
Test if the Nomad server accepts proxy requests from untrusted sources by attempting to use it as a proxyCheck Version:
Check the Nomad server version through administrative interface or configuration filesVerify Fix Applied:
After patching, verify that proxy requests from untrusted sources are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual proxy request patterns
- Requests from unexpected source IPs using the server as proxy
- High volume of outbound connections from the server
Network Indicators:
- The server acting as a proxy for external requests
- Anomalous traffic patterns where the server forwards requests to unexpected destinations
SIEM Query:
source_ip="[Nomad Server IP]" AND (http_method="CONNECT" OR contains(url,"proxy") OR destination_port IN [common_attack_ports])