Difference between revisions of "SVG:Advisory-SVG-CVE-2018-19295"
Latest revision as of 13:30, 3 January 2019
|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||More|
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk vulnerability in Singularity on CentOS/EL7 CVE-2018-19295 [EGI-SVG-CVE-2018-19295] Date: 2018-12-13 Updated: 2019-01-03 - set to WHITE and placed on wiki Affected software and risk ========================== CRITICAL risk vulnerability concerning Singularity on CentOS/EL7 Package : Singularity CVE ID : CVE-2018-19295 This issue affects Singularity 2.4.0 through 2.6.0 on CentOS/EL7 or any modern systemd-based distribution where mount points use shared mount propagation by default (CVE-2018-19295) [R 1] [R 2]. A malicious user with access to the host system (e.g. through SSH or via running a job) could exploit this vulnerability to mount arbitrary directories into the host, allowing privilege escalation. The vulnerability affects the setuid-root mode of Singularity. The CentOS/EL7.6 kernel supports Singularity being used non-setuid root mode, but not for all use cases that a site may need to support. Furthermore, even for supported use cases a switch to non-setuid root mode may not be transparent. Therefore such a switch cannot be advised at this time. However, a viable mitigation is provided below. Actions required/recommended ============================ Sites providing Singularity setuid-root on CentOS/EL7 should update to version 2.6.1 urgently, or apply the suggested mitigation, or uninstall the Singularity RPM(s). Component installation information ================================== Singularity version 2.6.1 is available from EPEL7 [R 3]. Mitigation ========== The known exploits affect setuid executables in the singularity RPM and the singularity-runtime RPM. However, it does not affect the setuid executable in singularity-runtime that is used for executing containers. The affected setuid executable in singularity-runtime allows starting background instances, which is not known to be used by batch jobs, and can therefore be removed. The singularity RPM is only needed on hosts where image creation capability is needed. Hence, for hosts such as worker nodes, one can mitigate the vulnerability by removing affected binaries: 1. remove the singularity RPM if it is installed, leaving only the singularity-runtime RPM. 2. remove the remaining affected executable: rm /usr/libexec/singularity/bin/start-suid That executable will be reinstalled after an RPM upgrade. TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2018-19295 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] Note that this has been updated and the latest version approved by the Operations Management Board in November 2017 References ========== [R 1] https://github.com/sylabs/singularity/releases/tag/2.6.1 [R 2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19295 [R 3] https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/s/ [R 4] https://documents.egi.eu/public/ShowDocument?docid=3145 Credit ====== SVG was alerted to this vulnerability by Dave Dykstra (FNAL, OSG) Timeline ======== Yyyy-mm-dd [EGI-SVG-2018-CVE-2018-19295] 2018-12-11 SVG alerted to this issue by Dave Dykstra (FNAL, OSG) 2018-12-11 Acknowledgement from the EGI SVG to the reporter 2018-12-12 Investigation of vulnerability and relevance to EGI carried out 2018-12-12 OSG advisory information received from Jeny Teheran (FNAL, OSG) 2018-12-13 EGI SVG Risk Assessment completed 2018-12-13 Advisory sent to sites and VO security contacts 2019-01-03 Advisory re-set to WHITE and placed on the wiki Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. Others may re-use this information provided they:- 1) Respect the provided TLP classification 2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group On behalf of the EGI SVG,