CVE-2020-28348 in Nomad
Summary
by MITRE • 11/24/2020
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/10/2020
HashiCorp Nomad and Nomad Enterprise versions 0.9.0 through 0.12.7 contained a critical security vulnerability in their client Docker file sandbox feature that could be exploited to bypass intended security controls. This vulnerability specifically affected systems where the sandbox feature was not explicitly disabled or when volume mount types were being utilized, creating a potential attack vector for privilege escalation and unauthorized access to containerized workloads.
The technical flaw resides in the implementation of the Docker file sandbox functionality within Nomad's client component, where the security controls designed to isolate container execution environments were insufficiently enforced. When volume mounts were present or when the sandbox was not explicitly disabled, the system failed to properly restrict container access to host resources and filesystems. This represents a direct violation of the principle of least privilege and could allow attackers to gain access to sensitive data, execute arbitrary code on the host system, or compromise other containers running on the same host. The vulnerability is categorized under CWE-276, which deals with incorrect permissions for critical resources, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution and T1068 for exploit for privilege escalation.
The operational impact of this vulnerability extends beyond simple container isolation failures, as it could enable attackers to escalate privileges and access critical infrastructure components. Organizations utilizing Nomad for container orchestration and workload management faced potential exposure to unauthorized access to sensitive data, system compromise, and denial of service conditions. The vulnerability particularly affected environments where Nomad clients were running with elevated privileges or where containerized applications required access to host resources through volume mounts. Attackers could leverage this flaw to move laterally within the infrastructure, potentially accessing other systems or services that were not directly exposed to the vulnerable Nomad client.
The fix implemented in versions 0.12.8, 0.11.7, and 0.10.8 addresses the core issue by enforcing stricter sandbox controls regardless of volume mount usage and by ensuring that the sandbox feature is properly disabled when not explicitly required. Organizations should immediately upgrade to the patched versions and review their Nomad configurations to ensure that the sandbox feature is appropriately configured based on their security requirements. Additionally, administrators should implement monitoring for unauthorized changes to Nomad client configurations and conduct regular security assessments of their container orchestration environments to identify potential vulnerabilities. The remediation process should include verifying that all Nomad clients are running the patched versions and that appropriate access controls are in place to limit exposure to this and similar vulnerabilities in the broader container ecosystem.