SchedMD Slurm is a widely used open-source workload manager for high-performance computing (HPC) clusters. CVE-2023-49935 identifies a critical vulnerability in Slurm versions 23.02.x and 23.11.x related to the slurmd daemon, which manages compute nodes. The vulnerability arises from incorrect access control mechanisms that allow an attacker to bypass the integrity checks of RPC messages. Specifically, the flaw permits reuse of root-level authentication tokens during communication with slurmd, effectively bypassing the RPC message hashes that are intended to prevent unauthorized reuse of MUNGE credentials. MUNGE is a credential management system used by Slurm to authenticate and authorize requests securely. By exploiting this flaw, an attacker can impersonate privileged processes or users, potentially executing unauthorized commands or escalating privileges within the HPC environment. This bypass undermines the fundamental security model of Slurm's node communication and authentication. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for HPC clusters that rely on Slurm for job scheduling and resource management. The issue was publicly disclosed on December 14, 2023, with fixed versions 23.02.7 and 23.11.1 released to address the problem. Organizations running affected versions should prioritize upgrading to these patched releases to prevent exploitation.

For European organizations, especially those operating HPC clusters in academic, scientific research, and industrial sectors, this vulnerability poses a serious risk. Successful exploitation could allow attackers to gain unauthorized root-level access on compute nodes, leading to potential data breaches, manipulation of computational jobs, or disruption of critical research activities. The integrity and confidentiality of sensitive research data and computations could be compromised. Additionally, attackers might leverage this access to move laterally within the network or disrupt cluster availability, impacting operational continuity. Given the reliance on Slurm in many European supercomputing centers and research institutions, the impact could extend to national research infrastructure and collaborative projects. The vulnerability could also affect cloud providers offering HPC services based on Slurm, thereby broadening the scope of impact across multiple sectors.

1. Immediate upgrade to Slurm versions 23.02.7 or 23.11.1, which contain the fix for this vulnerability. 2. Implement strict monitoring and logging of slurmd communications to detect anomalous token reuse or suspicious RPC message patterns. 3. Restrict access to slurmd processes and RPC interfaces to trusted administrative networks only, minimizing exposure to untrusted users. 4. Review and harden MUNGE credential management policies, including regular credential rotation and limiting token lifetimes. 5. Conduct thorough audits of HPC cluster configurations to ensure no legacy or unsupported Slurm versions remain in use. 6. Educate HPC administrators about the risks of token reuse and the importance of applying security patches promptly. 7. Consider network segmentation to isolate compute nodes and limit potential lateral movement in case of compromise.