From 6f27ab4186815e17e0abad9c1670fa30bbc9aaee Mon Sep 17 00:00:00 2001 From: lanced00m Date: Thu, 28 Nov 2024 11:40:42 +0100 Subject: [PATCH] perform issues of second review --- .../detectors/slurm_exposed_rest_api/README.md | 13 ++++++++----- .../detectors/slurm_exposed_rest_api/build.gradle | 2 +- .../detectors/rce/SlurmExposedRestApiDetector.java | 7 ++++--- .../SlurmExposedRestApiDaemonVuLnDetectorTest.java | 4 ++-- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/community/detectors/slurm_exposed_rest_api/README.md b/community/detectors/slurm_exposed_rest_api/README.md index 1dd4dbed5..b2348d154 100644 --- a/community/detectors/slurm_exposed_rest_api/README.md +++ b/community/detectors/slurm_exposed_rest_api/README.md @@ -1,11 +1,14 @@ # Slurm Exposed REST API -This detector checks for exposed slurm REST API daemon by running an arbitrary command. The Slurm Rest API requires -authentication by default. However, a common configuration involves using a reverse proxy that (theoretically) should -authenticate the user with some other methods and, if successful, authenticates towards the Slurm Rest API using a -hardcoded JWT token that is injected into the forwarded request's headers. +his detector checks for an exposed Slurm REST API service by running an arbitrary command using the Tsunami Callback +Server. -Reference: +The Slurm Rest API requires authentication by default. However, a common configuration involves using a reverse proxy +that (in correctly-configured environments) should authenticate the user first using some other methods and, if +successful, inject a JWT token into the request before forwarding it to the Slurm REST API service. + +If the reverse proxy is misconfigured to simply forward the requests without any authentication steps, it will allow +anyone to use the API and therefore get RCE by submitting malicious jobs to the cluster. - https://slurm.schedmd.com/rest.html#auth_proxy diff --git a/community/detectors/slurm_exposed_rest_api/build.gradle b/community/detectors/slurm_exposed_rest_api/build.gradle index f5c940d29..dbaf50f74 100644 --- a/community/detectors/slurm_exposed_rest_api/build.gradle +++ b/community/detectors/slurm_exposed_rest_api/build.gradle @@ -2,7 +2,7 @@ plugins { id 'java-library' } -description = 'Geoserver RCE (CVE-2024-36401) VulnDetector plugin.' +description = 'Slurm Exposed REST API VulnDetector plugin.' group = 'com.google.tsunami' version = '0.0.1-SNAPSHOT' diff --git a/community/detectors/slurm_exposed_rest_api/src/main/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDetector.java b/community/detectors/slurm_exposed_rest_api/src/main/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDetector.java index baf481122..98ccd0321 100644 --- a/community/detectors/slurm_exposed_rest_api/src/main/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDetector.java +++ b/community/detectors/slurm_exposed_rest_api/src/main/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDetector.java @@ -127,7 +127,8 @@ private boolean isServiceVulnerable(NetworkService networkService) { openapiV3Response = httpClient.send(get(rootUri + "openapi/v3").withEmptyHeaders().build(), networkService); } catch (IOException e) { - throw new RuntimeException(e); + logger.atWarning().withCause(e).log("Request to target %s failed", rootUri); + return false; } if (openapiV3Response.status() != HttpStatus.OK || openapiV3Response.bodyString().isEmpty()) { return false; @@ -203,8 +204,8 @@ private DetectionReport buildDetectionReport( .setSeverity(Severity.CRITICAL) .setTitle("Exposed Slurm REST API Server") .setDescription( - "Exposed slurm rest api servers Can be exploited by attackers to submit a job and " - + "therefore execute arbitrary OS-level commands on slurm compute nodes") + "An exposed Slurm REST API server can be exploited by attackers to submit a job and " + + "therefore execute arbitrary OS-level commands on Slurm compute nodes") .setRecommendation( "Set proper authentication for the Slurm Rest API server and " + "ensure the API is not publicly exposed through a " diff --git a/community/detectors/slurm_exposed_rest_api/src/test/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java b/community/detectors/slurm_exposed_rest_api/src/test/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java index 65a58d635..5b1aa6896 100644 --- a/community/detectors/slurm_exposed_rest_api/src/test/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java +++ b/community/detectors/slurm_exposed_rest_api/src/test/java/com/google/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java @@ -129,8 +129,8 @@ public void detect_whenVulnerable_returnsVulnerability() throws IOException { .setSeverity(Severity.CRITICAL) .setTitle("Exposed Slurm REST API Server") .setDescription( - "Exposed slurm rest api servers Can be exploited by attackers to submit a job and " - + "therefore execute arbitrary OS-level commands on slurm compute nodes") + "An exposed Slurm REST API server can be exploited by attackers to submit a job and " + + "therefore execute arbitrary OS-level commands on Slurm compute nodes") .setRecommendation( "Set proper authentication for the Slurm Rest API server and " + "ensure the API is not publicly exposed through a "