CVE-2024-1329: 
Nomad vulnerability analysis and mitigation

HashiCorp Nomad and Nomad Enterprise versions 1.5.13 up to 1.6.6, and 1.7.3 contain a template renderer vulnerability that allows arbitrary file write on the host as the Nomad client user through symlink attacks. The vulnerability, identified as CVE-2024-1329, was discovered during scheduled security testing and has been fixed in Nomad versions 1.7.4, 1.6.7, and 1.5.14 (HashiCorp Advisory).

The vulnerability stems from the job template block feature in Nomad, which instantiates a template renderer with source and destination paths. The core issue lies in the artifact archive unpacking process, which failed to validate that symlinks in the archive did not point outside the allocdir. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

An attacker could exploit this vulnerability to perform arbitrary file writes on the host system with Nomad client user privileges. This could potentially lead to system compromise through manipulation of critical files or escalation of privileges (HashiCorp Advisory).

The primary mitigation is to upgrade Nomad to versions 1.7.4, 1.6.7, or 1.5.15. The fix implements a sandboxed subprocess for template operations, using chroot on Linux/Unix systems and Windows AppContainer on Windows. For Windows environments, additional protection can be achieved by running Docker containers as ContainerUser instead of ContainerAdministrator. The sandbox can be disabled by setting client.disablefilesandbox=true in Nomad client configuration (HashiCorp Advisory).