CVE-2023-49935: 
NixOS vulnerability analysis and mitigation

An issue was discovered in SchedMD Slurm versions 23.02.x and 23.11.x, identified as CVE-2023-49935. The vulnerability involves Incorrect Access Control due to a slurmd Message Integrity Bypass. The issue was discovered and reported by Ryan Hall from Meta Red Team X, with the disclosure made public on December 13, 2023. The vulnerability affects the slurmd process in Slurm workload manager systems, with fixed versions being 23.02.7 and 23.11.1 (Slurm Announce, NVD).

The vulnerability allows an attacker to reuse root-level authentication tokens during interaction with the slurmd process, effectively bypassing the RPC message hashes that are designed to protect against undesired MUNGE credential reuse. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 Base Score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-613 (Insufficient Session Expiration) (NVD).

The vulnerability's impact is significant as it allows attackers to bypass authentication controls and potentially escalate privileges to root level. This could lead to unauthorized access to the system with elevated permissions, potentially compromising the entire cluster management system (Slurm Announce).

The only available mitigation is to update to the fixed versions: Slurm 23.02.7 or 23.11.1. SchedMD strongly recommends immediate patching as there are no alternative workarounds available. The fix requires patching and restarting the affected daemons. Due to the complexity of these fixes, SchedMD does not recommend attempting to backport the fixes to older releases (Slurm Announce).