CVE-2023-49937
📋 TL;DR
This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attackers to cause denial of service or potentially execute arbitrary code. The vulnerability affects Slurm versions 22.05.x, 23.02.x, and 23.11.x before specific patch releases. Organizations using affected Slurm versions for cluster management are at risk.
💻 Affected Systems
- SchedMD Slurm
📦 What is this software?
Slurm by Schedmd
Slurm by Schedmd
Slurm by Schedmd
Slurm by Schedmd
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, privilege escalation, and potential lateral movement within the cluster environment.
Likely Case
Denial of service causing Slurm daemon crashes, disrupting job scheduling and cluster operations until service restart.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting availability within isolated segments.
🎯 Exploit Status
Double-free vulnerabilities typically require specific memory manipulation knowledge but CVSS 9.8 suggests reliable exploitation is feasible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.05.11, 23.02.7, or 23.11.1
Vendor Advisory: https://www.schedmd.com/security-archive.php
Restart Required: Yes
Instructions:
1. Identify current Slurm version using 'slurmd -V' or 'scontrol show config | grep Version'. 2. Download appropriate patched version from SchedMD website. 3. Stop Slurm services. 4. Install updated packages. 5. Restart Slurm services.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Slurm daemons to trusted management networks only
iptables -A INPUT -p tcp --dport 6817 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 6817 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Slurm management interfaces from untrusted networks
- Deploy additional monitoring and alerting for Slurm daemon crashes or abnormal behavior
🔍 How to Verify
Check if Vulnerable:
Run 'slurmd -V' or 'scontrol show config | grep Version' and check if version is in affected rangeCheck Version:
slurmd -V 2>/dev/null || scontrol show config 2>/dev/null | grep VersionVerify Fix Applied:
Verify version shows 22.05.11, 23.02.7, or 23.11.1 or higher after patching📡 Detection & Monitoring
Log Indicators:
- Slurm daemon crashes in syslog
- Segmentation fault errors in Slurm logs
- Abnormal memory allocation patterns
Network Indicators:
- Unexpected connections to Slurm ports (6817-6819)
- Malformed packets to Slurm services
SIEM Query:
source="slurm.log" AND ("segmentation fault" OR "double free" OR "abort" OR "crash")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
- https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
- https://www.schedmd.com/security-archive.php
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO/
- https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html
- https://www.schedmd.com/security-archive.php
