SVG:Advisory-SVG-CVE-2021-32635
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2021-32635
Title: EGI SVG 'ADVISORY' [TLP:WHITE] Singularity security updates [EGI-SVG-CVE-2021-32635] Date: 2021-06-22 Updated: Affected software and risk ========================== Package : Singularity CVE ID : CVE-2021-32635, CVE-2021-29136 A vulnerability has been found in Singularity where it is possible for someone to publish a malicious container that takes priority over a container that a user is expecting to run. [R 1] No way has been identified where this may be exploited in EGI - CVE-2021-32635. A vulnerability has been found in Singularity where there is the potential for an attacker to overwrite host files, CVE-2021-29136 this was fixed earlier - See [R 2] Actions required/recommended ============================ Sites and users with their own Singularity installations are advised to Update to Singularity v3.7.4 at their earliest convenience if they have not done so already. If anyone becomes aware of any situation where these vulnerabilities may have a significant impact on the EGI infrastructure, then please inform EGI SVG. Component installation information ================================== See [R 1] Affected software details ======================== This vulnerability CVE-2021-32635 is fixed in singularity 3.7.4 - Singularity 3.7.2 and 3.7.3 are vulnerable. Singularity version 3.7.3 additionally fixes CVE-2021-29136 More information ================ This information is provided by the Singularity team on the 3.7.4 release:-- A security vulnerability in Singularity has been publicly announced [R 3]. Under conditions unlikely to occur for OSG users, it is possible for someone to publish a malicious container that takes priority over a container that a user is expecting to run. The OSG Security team considers the vulnerability to be of MODERATE severity. IMPACTED VERSIONS: Singularity 3.7.2 and 3.7.3 WHAT ARE THE VULNERABILITIES: By default, singularity commands that use "library://" for downloading containers read those containers from https://cloud.sylabs.io. That is a publicly accessible server and anyone may freely create an account there for storing containers, similar to Docker Hub. Users can also choose to redirect "library://" references to a private server with the singularity "remote" command. The vulnerability is that the singularity action commands (run/shell/exec) always try to download from https://cloud.sylabs.io first, so someone could publish a container there with the same name as a container on the private server and the untrusted container from the public server would instead be used. WHAT YOU SHOULD DO: If you have Singularity 3.7.2 or 3.7.3 installed and think some of your users might be using a private server for library:// containers, notify them to either not use it until 3.7.4 is available in EPEL or to create an identical account name for themselves on https://cloud.sylabs.io. This information is provided by the Singularity team on the 3.7.3 release fixing CVE-2021-29136:-- The umoci [R 2] binary used by Singularity had an issue where layers with a symlink name of '.' or '/' could modify host files when unpacking an image. This vulnerability affects the "singularity build" and "singularity pull" operations when run as root. Build/pull from a docker or OCI source is affected, as well as the implicit build to SIF that occurs through root use of run/exec/shell against a malicious docker/OCI image URI. An attacker could exploit this vulnerability by building an image with a symlink name of '.' or '/' which could overwrite host files. TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-32635 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. References ========== [R 1] https://github.com/hpcng/singularity/releases/tag/v3.7.4 [R 2] https://github.com/hpcng/singularity/releases/tag/v3.7.3 [R 3] https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3 [R 4] https://documents.egi.eu/public/ShowDocument?docid=3145 Credit ====== SVG was alerted to this vulnerability by Barbara Krasovec Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2021-29136] 2021-04-07 SVG alerted to CVE-2021-29136 by Barbara Krasovec 2021-04-07 Acknowledgement from the EGI SVG to the reporter 2021-04-07 Updated packages available in github 2021-04-07 Further information provided by Terry Fleury 2021-05-26 SVG alerted to CVE-2021-32635 by Dave Dykstra 2021-06-22 Advisory placed on public wiki for completeness. Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. ----------------------------- This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. ----------------------------- Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue. On behalf of the EGI SVG,