HashiCorp Nomad ACL Lookup Flaw Allows Privilege Escalation

HashiCorp Nomad ACL Lookup Flaw Allows Privilege Escalation

HashiCorp disclosed a critical security flaw (CVE-2025-4922) in its Nomad workload orchestration tool on June 11, 2025, exposing clusters to privilege escalation risks through improper ACL policy enforcement.

The vulnerability, rated 8.1 CVSS, enables attackers to bypass namespace restrictions via strategic job naming conventions.

Technical Analysis

Nomad’s Access Control List (ACL) system uses prefix-based matching for job-to-policy resolution.

– Advertisement –

This allows jobs with partially matching names to inherit policies from existing entries.

For example

textnamespace "prod-database" {
  policy = "write"
  capabilities = ["alloc-exec"]
}

A malicious actor could create prod-database-backup to inherit the write policy despite lacking explicit permissions.

Exploit Scenario

  1. Attacker identifies privileged job secure-payroll with namespace "finance" { policy = "write" }
  2. Creates a new job secure-payroll-audit
  3. Nomad erroneously applies finance Policies for unauthorized jobs

Affected Versions

Product Line Vulnerable Versions Patched Versions
Nomad Community 1.4.0 ≤ v ≤ 1.10.1 1.10.2
Nomad Enterprise 1.4.0 ≤ v ≤ 1.10.1 1.10.2
1.9.0 ≤ v ≤ 1.9.9 1.9.10
1.8.0 ≤ v ≤ 1.8.13 1.8.14
  1. Immediate Upgrade bash# Community Edition nomad version | grep 'Nomad v1.10.1' && curl -O https://releases.hashicorp.com/nomad/1.10.2/nomad_1.10.2_linux_amd64.zip # Enterprise Edition hashicorp-support login && hc-releases get nomad-enterprise 1.10.2
  2. Policy Audit
    Review all namespaces for: textnamespace "*" { policy = "write" } // Wildcard policies increase risk
  3. Implement Least-Privilege Access using exact match rules: textnamespace "prod-api" { policy = "read" variables { path "credentials/*" { capabilities = ["deny"] } } }

Security Implications

This vulnerability enables:

  • Privilege Escalation: Unauthorized job execution in protected namespaces
  • Policy Shadowing: Override of deny rules through prefix collisions
  • Data Exfiltration: Access to sensitive variables in shared namespaces

HashiCorp’s internal security team identified the flaw during routine code audits, with no evidence of active exploitation.

Organizations using multi-tenant Nomad deployments with ACLs should prioritize patching given the attack vector’s low complexity and high potential impact.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates


Source link