CVE-2021-43337 in Slurm
Summary
by MITRE • 11/17/2021
SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On sites using the new AccountingStoreFlags=job_script and/or job_env options, the access control rules in SlurmDBD may permit users to request job scripts and environment files to which they should not have access.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/17/2024
The vulnerability identified as CVE-2021-43337 affects SchedMD Slurm versions 21.08.* prior to 21.08.4, representing a critical access control flaw that undermines the security posture of high-performance computing environments. This issue specifically targets the SlurmDBD component which manages database operations for the Slurm workload manager, creating a scenario where unauthorized users can potentially access sensitive job script and environment files that should be restricted to authorized personnel only. The vulnerability arises from improper implementation of access control mechanisms within the database layer, particularly when utilizing the AccountingStoreFlags configuration options that enable storage of job scripts and environment variables for auditing purposes.
The technical flaw manifests when sites configure Slurm with AccountingStoreFlags=job_script and/or job_env options, which are designed to store job execution details for accounting and auditing purposes. Under normal operation, these flags should ensure that only authorized users or administrators can access the stored job scripts and environment files. However, the access control implementation fails to properly validate user permissions against stored job data, allowing authenticated users to request and retrieve job information that they should not be authorized to access. This represents a direct violation of the principle of least privilege and demonstrates a classic access control bypass vulnerability that can be exploited by malicious actors within the system.
The operational impact of this vulnerability extends beyond simple information disclosure, as job scripts and environment files often contain sensitive configuration details, authentication tokens, system paths, and potentially proprietary code or algorithms. An attacker who successfully exploits this vulnerability could gain insights into system configurations, identify potential attack vectors, and potentially extract credentials or other sensitive information from job environments. This access could enable further exploitation attempts including privilege escalation, lateral movement within the cluster, or the discovery of additional system vulnerabilities. The impact is particularly severe in multi-tenant environments where different users or research groups share the same Slurm cluster but should maintain strict separation of their computational workloads.
Organizations should immediately apply the patched version 21.08.4 or higher to remediate this vulnerability, as the fix addresses the core access control logic in SlurmDBD to properly validate user permissions before serving job script and environment data. Additional mitigations include implementing network segmentation to restrict access to SlurmDBD services, regularly reviewing and auditing accounting configurations, and monitoring for unauthorized access attempts to job storage areas. This vulnerability aligns with CWE-284 Access Control Bypass and maps to ATT&CK technique T1078 Valid Accounts, as it allows unauthorized access through legitimate user accounts by exploiting weak access controls. Organizations should also consider implementing additional logging and monitoring around database access patterns to detect potential exploitation attempts, as the vulnerability may not be immediately apparent through standard security scanning tools.