CVE-2021-43415 - Nomad QEMU Task Driver Allowed Paths Bypass with Job Args

[lgfa29]

Summary

Nomad and Nomad Enterprise (“Nomad”) with the QEMU task driver enabled allowed authenticated users with job submission capabilities to bypass the configured allowed paths for images. This vulnerability, CVE-2021-43415, was fixed in Nomad 1.0.14, 1.1.8, and 1.2.1.

Background

Nomad provides first-class support for the QEMU task driver to run virtual machines, which has a client agent configuration option to restrict the allowed image paths that can be used in a job, preventing arbitrary access to the underlying host filesystem.

Details

An external reporter discovered that a Nomad job using the QEMU task driver could be crafted to bypass intended restrictions on the source of the image on the host by using the "-drive" CLI flag as an argument in the submitted job.

To address this, Nomad’s configuration logic has been modified to provide operators the ability to further control access to host resources by restricting the QEMU CLI flags available to a job submitter with a new args_allowlist option.

Remediation

Customers using Nomad’s QEMU task driver should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.14, 1.1.8, and 1.2.1, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes. After upgrading, operators will need to configure the args_allowlist option to permit only the QEMU CLI flags necessary for their environment.

Alternatively, the QEMU task driver may be disabled using the the following client agent configuration snippet:

plugin "qemu" { 
    enabled = false 
}

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.