CVE-2021-32575

Vulnerability

HashiCorp Nomad and Nomad Enterprise up to version 1.0.4, specifically when using bridge networking mode with the docker, exec, or java task drivers on Linux, is vulnerable to ARP spoofing attacks. The vulnerability arises because these task drivers enable the CAP_NET_RAW Linux capability by default, allowing tasks within the same bridge network namespace to send arbitrary ARP packets. Affected versions include all Nomad releases up to and including 1.0.4, with fixes available in versions 0.12.12, 1.0.5, and 1.1.0 Release Candidate 1 [1][2].

Exploitation

An attacker must be able to run a task on a Nomad client node that uses bridge networking mode with the docker, exec, or java task drivers. The attacker does not require any special privileges beyond the ability to execute code within their task. Exploitation involves crafting ARP packets from the attacker's task to poison the ARP cache of other bridged tasks on the same node. This is possible because the CAP_NET_RAW capability permits raw socket access, which the attacker can use to send spoofed ARP replies [2].

Impact

A successful ARP spoofing attack allows the attacker to intercept, modify, or block network traffic intended for other tasks within the same bridge network on the same Nomad client node. This can lead to denial of service (DoS) and man-in-the-middle (MITM) attacks, potentially compromising the confidentiality and integrity of data exchanged between affected tasks [2].

Mitigation

The vulnerability is fixed in Nomad versions 0.12.12, 1.0.5, and 1.1.0 RC1. The fix disables the CAP_NET_RAW capability by default for the docker, exec, and java task drivers. For the docker task driver, previous behavior can be restored using the allow_caps plugin configuration option. Similar configurability for exec and java task drivers is planned for a future release. Users are advised to upgrade to a fixed version as soon as possible [1][2].