CVE-2024-6717
📋 TL;DR
This vulnerability allows attackers to escape the intended directory structure during archive unpacking in Nomad migrations, potentially writing files to arbitrary locations on the host filesystem. It affects HashiCorp Nomad and Nomad Enterprise deployments running vulnerable versions. The issue could lead to unauthorized file access, modification, or privilege escalation.
💻 Affected Systems
- HashiCorp Nomad
- HashiCorp Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Nomad host system through arbitrary file writes, potentially leading to remote code execution, data exfiltration, or complete cluster takeover.
Likely Case
Unauthorized file access or modification within the host filesystem, potentially exposing sensitive configuration files, secrets, or enabling lateral movement.
If Mitigated
Limited impact if proper file permissions and isolation controls are in place, though some file access may still be possible.
🎯 Exploit Status
Exploitation requires the ability to trigger archive unpacking during migration, which typically requires some level of access to the Nomad cluster.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nomad 1.6.13, 1.7.10, 1.8.2
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2024-15-nomad-vulnerable-to-allocation-directory-path-escape-through-archive-unpacking/68781
Restart Required: Yes
Instructions:
1. Download the patched version from HashiCorp's official releases. 2. Stop Nomad services. 3. Backup configuration and data. 4. Install the patched version. 5. Restart Nomad services. 6. Verify successful upgrade and functionality.
🔧 Temporary Workarounds
Restrict Migration Operations
allLimit or disable archive unpacking during migration operations to prevent exploitation.
Review and restrict Nomad ACL policies for migration operations
Disable unnecessary migration features in job configurations
🧯 If You Can't Patch
- Implement strict file system permissions and isolation for Nomad allocation directories
- Monitor and audit all migration operations for suspicious archive unpacking activities
🔍 How to Verify
Check if Vulnerable:
Check Nomad version using 'nomad version' command and compare against affected versions (1.6.12-1.6.x, ≤1.7.9, 1.8.1).Check Version:
nomad versionVerify Fix Applied:
After patching, run 'nomad version' to confirm version is 1.6.13, 1.7.10, or 1.8.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual archive unpacking operations during migration
- File access outside expected allocation directories
- Permission denied errors for unexpected file paths
Network Indicators:
- Unusual migration traffic patterns
- Unexpected file transfer activities
SIEM Query:
source="nomad" AND ("archive" OR "unpack" OR "migration") AND ("permission denied" OR "path escape" OR "directory traversal")