CVE-2023-49936
📋 TL;DR
This CVE describes a NULL pointer dereference vulnerability in SchedMD Slurm workload manager that can cause denial of service. When exploited, it crashes the affected Slurm service, disrupting job scheduling and cluster management. Organizations running vulnerable Slurm versions 22.05.x, 23.02.x, or 23.11.x are affected.
💻 Affected Systems
- SchedMD Slurm
📦 What is this software?
Slurm by Schedmd
Slurm by Schedmd
Slurm by Schedmd
Slurm by Schedmd
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster unavailability with job loss and scheduling disruption across all managed nodes
Likely Case
Service crash requiring manual restart of Slurm daemons, causing temporary job scheduling interruption
If Mitigated
Minimal impact with quick service restoration if monitoring and restart automation are in place
🎯 Exploit Status
Exploitation requires sending specially crafted requests to Slurm daemons; authentication requirements depend on Slurm configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.05.11, 23.02.7, or 23.11.1
Vendor Advisory: https://www.schedmd.com/security-archive.php
Restart Required: Yes
Instructions:
1. Check current Slurm version with 'slurmd -V' or 'scontrol show config | grep Version'. 2. Download appropriate patched version from SchedMD or distribution repositories. 3. Stop Slurm services: 'systemctl stop slurmctld slurmd'. 4. Install updated packages. 5. Restart services: 'systemctl start slurmctld slurmd'. 6. Verify with 'scontrol ping'.
🔧 Temporary Workarounds
Network Access Restriction
linuxLimit network access to Slurm daemons to trusted hosts only
iptables -A INPUT -p tcp --dport 6817:6819 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 6817:6819 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Slurm management interfaces
- Deploy monitoring and automated restart scripts for Slurm daemons to minimize downtime
🔍 How to Verify
Check if Vulnerable:
Run 'slurmd -V' or 'scontrol show config | grep Version' and check if version is in affected rangeCheck Version:
slurmd -V 2>&1 | head -1Verify Fix Applied:
After patching, verify version shows 22.05.11, 23.02.7, or 23.11.1 and test with 'scontrol ping' returning UP📡 Detection & Monitoring
Log Indicators:
- Segmentation fault or NULL pointer errors in /var/log/slurm/*.log
- Unexpected Slurm daemon crashes
- Connection refused errors from Slurm clients
Network Indicators:
- Sudden drop in Slurm service ports (6817-6819) connectivity
- Increased connection attempts to Slurm ports
SIEM Query:
source="slurm*.log" AND ("segmentation fault" OR "NULL pointer" OR "crash")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
- https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
- https://www.schedmd.com/security-archive.php
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
- https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
- https://www.schedmd.com/security-archive.php
