Skip to content

OSG-SEC-2022-05-05 CRITICAL Vulnerability in Slurm authentication handling

Dear OSG Security Contacts,

Three vulnerabilities have been found and fixed in Slurm [1], including one in the authentication handling which may allow an unprivileged user to impersonate the SlurmUser account. Access to the SlurmUser account can be used to execute arbitrary processes as root. [1] This vulnerability (CVE-2022-29500) is considered CRITICAL by the OSG security team.

IMPACTED VERSIONS:

Slurm versions prior to 21.08.8 and 20.11.9, all earlier versions should be considered vulnerable.

WHAT ARE THE VULNERABILITIES

  • CVE-2022-29500: An architectural flaw with how credentials are handled can be exploited to allow an unprivileged user to impersonate the SlurmUser account. Access to the SlurmUser account can be used to execute arbitrary processes as root.

  • CVE-2022-29501: An issue was discovered with a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. This vulnerability could allow an unprivileged user to send data to an arbitrary unix socket on the host as the root user.

  • CVE-2022-29502: An issue was found with the I/O key validation logic in the srun client command that could permit an attacker to attach to the user's terminal, and intercept process I/O. (Slurm 21.08 only.)

WHAT YOU SHOULD DO

Sites running Slurm must install the updated version as soon as possible and restart the slurmdbd, slurmctld, and slurmd processes. [2]

Once all daemons have been upgraded sites are encouraged to add "block_null_hash" to CommunicationParameters. That new option provides additional protection against a potential exploit. [1]

There are no other known mitigations at this time.

REFERENCES

[1] https://lists.schedmd.com/pipermail/slurm-announce/2022/000072.html [2] https://www.schedmd.com/downloads.php

Please contact the OSG security team at [email protected] if you have any questions or concerns.