HCSEC-2024-27
**Bulletin ID:** HCSEC-2024-27 **Affected Products / Versions:** Nomad Community Edition from 1.3.0 up to 1.9.1, fixed in 1.9.2. Nomad Enterprise from 1.3.0 up to 1.9.1, 1.8.6, 1.7.14, fixed in 1.9.2, 1.8.7, and 1.7.15. **Publication Date:** November 7, 2024 **Summary** Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15. **Background** Nomad's storage plugin allows scheduling tasks with externally created storage volumes. The Nomad [volume](https://developer.hashicorp.com/nomad/docs/other-specifications/volume) specification defines the schema for creating and registering volumes using the [volume create](https://developer.hashicorp.com/nomad/docs/commands/volume/create) and [volume register](https://developer.hashicorp.com/nomad/docs/commands/volume/register) commands. The [volume create](https://developer.hashicorp.com/nomad/docs/commands/volume/create) command creates external storage volumes with Nomad's [Container Storage Interface (CSI)](https://github.com/container-storage-interface/spec) support for plugins that implement the [Controller](https://developer.hashicorp.com/nomad/docs/concepts/plugins/csi#csi-plugins) interface. When ACLs are enabled, this command requires a token with the [csi-write-volume](https://developer.hashicorp.com/nomad/docs/other-specifications/acl-policy#csi-write-volume) capability for the volume's namespace. **Details** The vulnerability is exploitable when a user with [csi-write-volume](https://developer.hashicorp.com/nomad/docs/other-specifications/acl-policy#csi-write-volume) capability in a namespace attempts to create or register an external storage volume using the Nomad `volume create` or `volume register` command. A flaw in authorization checks as implemented allowed an attacker to create volumes across namespaces, bypassing intended ACLs by: * setting the `namespace` field in the volume spec to the target namespace the user doesn't have permissions to, while also * setting the `-namespace` for the command line (or API) to the namespace the user does have permissions to **Remediation** Customers using the `volume create` or `volume register` commands should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.2, 1.8.7, 1.7.15, or newer. Please refer to [Upgrading Nomad ](https://developer.hashicorp.com/nomad/docs/upgrade)for general guidance and the [Upgrade Guides](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific) for version-specific upgrade notes. **Acknowledgement** This issue was identified by HashiCorp‘s Nomad engineering teams. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*
Timeline
- Nov 7, 2024 CVE Published