CVE-2024-42018 is a vulnerability in Atos Eviden SMC xScale HPC management software prior to version 1.6.6. During the initialization of compute nodes, configuration parameters containing sensitive credentials are fetched from management nodes. These credentials are critical to maintaining the security posture of the HPC environment. To protect these credentials, access control is enforced on the management nodes, typically via iptables firewall rules configured through cloudinit. However, the iptables rules are applied in the runcmd section of cloudinit, which executes late in the boot process and does not persist after a reboot on diskful nodes. As a result, after a reboot, the firewall rules are lost, exposing the management node to unauthorized access by unprivileged users. Diskless nodes are not impacted because their initialization process differs. The vulnerability is classified under CWE-922 (Improper Restriction of Operations within the Bounds of a Memory Buffer) due to the failure to maintain proper access control boundaries. The CVSS v3.1 score is 7.7 (high), reflecting network attack vector, low attack complexity, required privileges (limited), no user interaction, and a scope change with high confidentiality impact but no integrity or availability impact. No public exploits have been reported yet. The primary fix involves moving the iptables configuration commands from the runcmd section to the bootcmd section in cloudinit, ensuring firewall rules are applied early and persist across reboots, thereby maintaining access control on management nodes.

The vulnerability exposes sensitive HPC cluster credentials stored in configuration parameters on management nodes to unauthorized users after a reboot of diskful nodes. This can lead to unauthorized access to critical management functions or data, potentially allowing attackers to gather intelligence on the HPC environment or prepare further attacks. Although integrity and availability are not directly impacted, the confidentiality breach can undermine the overall security of the HPC infrastructure. Organizations relying on Atos Eviden SMC xScale for high-performance computing may face increased risk of insider threats or lateral movement by attackers with limited privileges. The loss of firewall protections after reboot increases the attack surface and may facilitate privilege escalation or unauthorized configuration changes. Given the specialized nature of HPC environments, the impact is significant for research institutions, government agencies, and enterprises using these systems for sensitive computations.

To mitigate CVE-2024-42018, administrators should update the cloudinit configuration on diskful nodes to move iptables firewall rule commands from the runcmd section to the bootcmd section. This ensures that firewall rules are applied early in the boot process and persist after reboots. Additionally, verify that access control policies on management nodes are enforced consistently and test reboot scenarios to confirm firewall persistence. Implement monitoring to detect unauthorized access attempts to management nodes, especially after node reboots. Restrict physical and network access to diskful nodes to prevent unauthorized reboots or tampering. Consider upgrading Atos Eviden SMC xScale to version 1.6.6 or later once available, as it likely contains the fix. Regularly audit HPC cluster configurations and credentials to detect anomalies. Finally, educate administrators on the importance of correct cloudinit configuration and the risks of improper firewall rule persistence.