SVG:Advisory-SVG-CVE-2018-19295

From EGIWiki
Revision as of 13:30, 3 January 2019 by imported>Cornwall
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2018-19295


Title:       EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk vulnerability in Singularity on CentOS/EL7 CVE-2018-19295 
             [EGI-SVG-CVE-2018-19295]
   

Date:        2018-12-13
Updated:     2019-01-03 - set to WHITE and placed on wiki

Affected software and risk
==========================

CRITICAL risk vulnerability concerning Singularity on CentOS/EL7

Package : Singularity
CVE ID  : CVE-2018-19295

This issue affects Singularity 2.4.0 through 2.6.0 on CentOS/EL7 or any modern 
systemd-based distribution where mount points use shared mount propagation by default 
(CVE-2018-19295) [R 1] [R 2].

A malicious user with access to the host system (e.g. through SSH or via running a job) could 
exploit this vulnerability to mount arbitrary directories into the host, allowing privilege escalation.

The vulnerability affects the setuid-root mode of Singularity.  The
CentOS/EL7.6 kernel supports Singularity being used non-setuid root mode, 
but not for all use cases that a site may need to support.  Furthermore, 
even for supported use cases a switch to non-setuid root mode may not be transparent.
Therefore such a switch cannot be advised at this time.  However, a viable mitigation is provided below.


Actions required/recommended
============================

Sites providing Singularity setuid-root on CentOS/EL7 should update to version
2.6.1 urgently, or apply the suggested mitigation, or uninstall the Singularity RPM(s).


Component installation information
==================================

Singularity version 2.6.1 is available from EPEL7 [R 3].


Mitigation
==========

The known exploits affect setuid executables in the singularity RPM and the singularity-runtime RPM. 
However, it does not affect the setuid executable in singularity-runtime that is used for executing containers. 
The affected setuid executable in singularity-runtime allows starting background instances, which is not known 
to be used by batch jobs, and can therefore be removed. The singularity RPM is only needed on hosts where 
image creation capability is needed.

Hence, for hosts such as worker nodes, one can mitigate the vulnerability by removing affected binaries:

1. remove the singularity RPM if it is installed, leaving only the singularity-runtime RPM.
2. remove the remaining affected executable:
    rm /usr/libexec/singularity/bin/start-suid

That executable will be reinstalled after an RPM upgrade.


TLP and URL
===========

** WHITE information - Unlimited distribution - 
 see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2018-19295

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4]

Note that this has been updated and the latest version approved by the Operations Management Board in November 2017


References
==========

[R 1] https://github.com/sylabs/singularity/releases/tag/2.6.1

[R 2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19295

[R 3] https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/s/

[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Dave Dykstra (FNAL, OSG)

Timeline
========
Yyyy-mm-dd  [EGI-SVG-2018-CVE-2018-19295]

2018-12-11 SVG alerted to this issue by Dave Dykstra (FNAL, OSG)
2018-12-11 Acknowledgement from the EGI SVG to the reporter
2018-12-12 Investigation of vulnerability and relevance to EGI carried out
2018-12-12 OSG advisory information received from Jeny Teheran (FNAL, OSG)
2018-12-13 EGI SVG Risk Assessment completed
2018-12-13 Advisory sent to sites and VO security contacts
2019-01-03 Advisory re-set to WHITE and placed on the wiki

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6] 
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments 
depending on how the software is used.

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group


On behalf of the EGI SVG,