CVE-2023-49933: 
NixOS vulnerability analysis and mitigation

An issue was discovered in SchedMD Slurm versions 22.05.x, 23.02.x, and 23.11.x related to Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This vulnerability allows attackers to modify RPC traffic in a way that bypasses message hash checks. The vulnerability was disclosed on December 13, 2023, and has been assigned CVE-2023-49933. The issue has been fixed in versions 22.05.11, 23.02.7, and 23.11.1 (Slurm Announce).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue is classified as CWE-924 (Improper Enforcement of Message Integrity During Transmission in a Communication Channel). The vulnerability specifically allows for malicious modification of RPC traffic that can bypass the message hash checks designed to protect the system (NVD).

The vulnerability allows attackers to modify RPC (Remote Procedure Call) traffic by bypassing message hash checks, which could lead to unauthorized modifications of system behavior. This represents a significant integrity risk as it compromises the security mechanisms designed to ensure message authenticity (Slurm Announce).

The only available mitigation is to upgrade to the fixed versions: Slurm 22.05.11, 23.02.7, or 23.11.1. SchedMD strongly recommends against attempting to backport fixes to older releases due to the complexity of the fixes and encourages sites to upgrade to the fixed versions immediately. The fix requires patching and restarting the affected daemons (Slurm Announce).

The vulnerability was reported as part of a larger security update that included six security issues in total, with five of them being reported by Ryan Hall from Meta Red Team X. The issue was handled according to SchedMD's security policy, with customers being notified ahead of public disclosure (Slurm Announce).