Missing authorization in Hashicorp Nomad

1) Missing Authorization

EUVDB-ID: #VU100098

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-10975

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: No

Description

The vulnerability allows a remote user to perform unauthorized Container Storage Interface (CSI) volume writes.

The vulnerability exists due to missing authorization checks when creating or registering external storage volumes. A remote user with csi-write-volume capability in a namespace can perform cross-namespace volume creation using the Nomad volume create or volume register commands.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Nomad: 1.3.0 - 1.9.1

Nomad Enterprise: 1.3.0 - 1.9.1

CPE2.3

• cpe:2.3:a:hashicorp:nomad:1.3.16:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.2:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.3:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.4:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.5:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.6:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.7:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad:1.4.8:*:*:*:*:*:*:*
• cpe:2.3:a:hashicorp:nomad_enterprise:1.3.0:*:*:*:*:nomad:*:*

External links

https://discuss.hashicorp.com/t/hcsec-2024-27-nomad-vulnerable-to-cross-namespace-volume-creation-abusing-csi-write-permission
https://github.com/advisories/GHSA-2w5v-x29g-jw7j

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.