CVE-2024-7625
📋 TL;DR
This vulnerability allows an attacker with access to a Nomad client agent to write files outside the intended allocation directory during archive unpacking. It affects HashiCorp Nomad and Nomad Enterprise users running vulnerable versions. The attacker must first compromise the Nomad client agent at the source allocation to exploit this issue.
💻 Affected Systems
- HashiCorp Nomad
- HashiCorp Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
An attacker could write arbitrary files outside the allocation directory, potentially leading to privilege escalation, data corruption, or execution of malicious code on the Nomad client host.
Likely Case
Limited file system manipulation on the compromised client host, potentially affecting other allocations or system files if the attacker has sufficient permissions.
If Mitigated
Minimal impact if proper network segmentation, client isolation, and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires compromising a Nomad client agent first, then leveraging the archive unpacking vulnerability during allocation migration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nomad 1.6.14, 1.7.11, 1.8.3
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2024-17-nomad-vulnerable-to-allocation-directory-escape-on-non-existing-file-paths-through-archive-unpacking/69293
Restart Required: Yes
Instructions:
1. Download the patched version from HashiCorp releases. 2. Stop Nomad services. 3. Backup configuration and data. 4. Install the patched version. 5. Restart Nomad services. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict client agent access
allImplement strict access controls and network segmentation to prevent unauthorized access to Nomad client agents.
Monitor allocation migrations
allImplement monitoring for archive unpacking operations during allocation directory migrations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Nomad client agents from sensitive systems
- Apply principle of least privilege to Nomad client agent processes and file system permissions
🔍 How to Verify
Check if Vulnerable:
Check Nomad version using 'nomad version' command and compare against affected versions.Check Version:
nomad versionVerify Fix Applied:
After patching, verify version shows 1.6.14, 1.7.11, or 1.8.3 or higher using 'nomad version'.📡 Detection & Monitoring
Log Indicators:
- Unusual archive unpacking operations
- File writes outside expected allocation directories
- Failed allocation migrations
Network Indicators:
- Unexpected connections to Nomad client agents
- Suspicious API calls to allocation migration endpoints
SIEM Query:
source="nomad" AND ("archive" OR "unpack" OR "migration") AND ("error" OR "failed" OR "unexpected")