CVE-2016-10030 in Slurm
Summary
by MITRE
The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 ("success") and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/27/2022
The vulnerability identified as CVE-2016-10030 resides within the Slurm workload manager's slurmd daemon component, specifically in the _prolog_error function located in slurmd/req.c. This flaw represents a privilege escalation vulnerability that allows authenticated users to gain unauthorized control over arbitrary files on compute nodes within a Slurm-managed cluster environment. The vulnerability stems from improper handling of Prolog script failure notifications, where the slurmd daemon fails to properly validate or sanitize file operations during error reporting scenarios. This issue affects a broad range of Slurm versions spanning from 0.6.0 released in September 2005 through the affected versions up to the specified patches, making it a long-standing security concern that has persisted across multiple major releases. The vulnerability operates under the Common Weakness Enumeration classification of CWE-22, which deals with improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The operational impact of this vulnerability extends beyond simple file access, as it enables potential attackers to manipulate critical system files, potentially leading to complete system compromise or denial of service conditions within the cluster infrastructure.
The technical exploitation of this vulnerability requires an attacker to first gain access to a Slurm job submission account and then carefully craft or anticipate a Prolog script failure scenario that would trigger the vulnerable code path. When a Prolog script returns a non-zero exit code, the slurmd daemon attempts to report this failure to users while simultaneously processing file operations that could be manipulated by a malicious user. The flaw occurs during the error reporting mechanism where the system does not adequately validate the file paths or operations performed during the error handling process, creating opportunities for attackers to redirect file operations to arbitrary locations on the filesystem. This vulnerability aligns with ATT&CK technique T1059.001, which covers command and scripting interpreter execution, and T1078.002, which involves valid accounts and legitimate credentials. The exploitation process leverages the fact that Prolog scripts are executed during job allocation and can be designed to fail in predictable ways, allowing attackers to trigger the vulnerable code path and subsequently manipulate file operations to achieve their objectives. The attack vector specifically targets the compute node level rather than the central Slurm controller, making it particularly dangerous in distributed computing environments where multiple nodes are managed by a single Slurm installation.
The mitigation strategies for CVE-2016-10030 are twofold and primarily focus on either disabling or carefully modifying the Prolog script functionality within the Slurm configuration. The most effective workaround involves completely disabling Prolog scripts if they are not essential to the cluster's operation, as this eliminates the attack surface entirely. Alternatively, administrators can modify existing Prolog scripts to always return a zero exit code, effectively signaling success to the slurmd daemon while implementing proper node state management through the scontrol command interface. This approach ensures that the system does not attempt to process the error handling path that contains the vulnerability while maintaining the necessary operational functionality for cluster management. The recommended patching strategy involves upgrading to Slurm versions 15.08.13, 16.05.7, or 17.02.0-pre4, which contain the necessary code modifications to properly validate file operations during error handling scenarios. Organizations should also implement monitoring solutions to detect unusual patterns in Prolog script execution and failure reporting, as these could indicate attempted exploitation of this vulnerability. The vulnerability's persistence across multiple major versions underscores the importance of regular security audits and patch management processes within high-performance computing environments where Slurm is deployed. System administrators should also consider implementing additional security controls such as restricted file permissions and monitoring of critical system files to prevent unauthorized modifications that could result from successful exploitation of this vulnerability.