Nomad ACL Policies without Label are Applied to Unexpected Resources

Vulnerability

Overview

A vulnerability in HashiCorp Nomad and Nomad Enterprise, tracked as CVE-2023-3072, affects versions 0.7.0 through 1.5.6 and 1.4.10. The issue occurs when ACL policies defined in HCL syntax use a block that expects a label but does not specify one. In such cases, the policy may be applied to unexpected resources, bypassing the intended access controls [1][3].

Exploitation and

Attack Surface

Exploitation requires that an administrator creates or updates an ACL policy without a label on a block that requires labeling. For example, a namespace block without a label could be erroneously applied to a resource named "policy" instead of a specific namespace [3]. An attacker with sufficient privileges to modify ACL policies, or who can influence policy creation, could exploit this misconfiguration to gain unintended access. The attack surface is local to the Nomad cluster's ACL system; no network-level exploitation is described [3].

Impact

If successfully exploited, an attacker may gain access to resources or operations that were not intended, potentially leading to privilege escalation or unauthorized access to sensitive data and jobs within the Nomad cluster [3]. The severity is highlighted by the fact that Nomad's ACL system is central to authorization for the HTTP API [2][3].

Mitigation

HashiCorp has fixed the issue in Nomad 1.6.0, 1.5.7, and 1.4.11. Users are advised to upgrade to these or later versions. No workarounds are documented; however, reviewing existing ACL policies to ensure that all blocks have labels where expected can help mitigate risks temporarily [1][3].