SchedMD Slurm is a widely used open-source workload manager for high-performance computing (HPC) clusters. CVE-2023-49938 identifies an incorrect access control vulnerability in Slurm versions 22.05.x and 23.02.x. The flaw arises because an attacker can manipulate their extended group list, which is used by the sbcast subsystem responsible for broadcasting files to nodes in the cluster. By modifying these extended groups, an attacker can open files with unauthorized group permissions, effectively bypassing intended access controls. This can lead to unauthorized access or modification of files that should be restricted based on group membership. The vulnerability does not require user interaction and can be exploited by an authenticated user with access to the Slurm environment. Although no known exploits are currently reported in the wild, the issue poses a significant risk in HPC environments where sensitive data and computations are handled. The fixed versions 22.05.11 and 23.02.7 address this issue by enforcing proper access control checks on extended group lists within the sbcast subsystem. Organizations relying on affected Slurm versions should prioritize upgrading to these patched releases to prevent potential privilege escalation and unauthorized data access.

For European organizations, particularly those operating HPC clusters in research, academia, and industry, this vulnerability could lead to unauthorized access to sensitive computational data and intellectual property. The ability to manipulate group permissions and access files beyond authorized boundaries threatens confidentiality and integrity of data processed in HPC environments. This could result in data leakage, tampering with scientific computations, or disruption of workflows. Given the critical role HPC clusters play in sectors such as pharmaceuticals, climate modeling, and engineering, exploitation could have cascading effects on research outcomes and operational trust. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability. The vulnerability does not directly impact availability but could indirectly cause denial of service if unauthorized modifications disrupt cluster operations.

European organizations should immediately upgrade Slurm installations to versions 22.05.11 or 23.02.7 or later to remediate the vulnerability. In addition to patching, administrators should audit and restrict group membership management policies to prevent unauthorized modifications. Implement strict access controls on the sbcast subsystem and monitor logs for unusual group list changes or file access patterns. Employ role-based access control (RBAC) to limit the ability to modify extended groups only to trusted administrators. Regularly review and update HPC cluster security policies, including user permissions and file system ACLs. Consider deploying intrusion detection systems tailored for HPC environments to detect anomalous behavior related to group membership or file access. Finally, maintain an incident response plan specific to HPC clusters to quickly address potential exploitation attempts.