Advisory-SVG-CVE-2021-32635

Title:       EGI SVG 'ADVISORY' [TLP:WHITE] Singularity security updates [EGI-SVG-CVE-2021-32635]

Date:        2021-06-22
Updated:     


Affected software and risk
==========================

Package : Singularity
CVE ID  : CVE-2021-32635, CVE-2021-29136

A vulnerability has been found in Singularity where it is possible for someone to publish a malicious container 
that takes priority over a container that a user is expecting to run. [R 1] No way has been identified where this may 
be exploited in EGI - CVE-2021-32635.  

A vulnerability has been found in Singularity where there is the potential for an attacker to overwrite host files, 
CVE-2021-29136 this was fixed earlier - See [R 2]

Actions required/recommended
============================

Sites and users with their own Singularity installations are advised to Update to Singularity v3.7.4 at their earliest 
convenience if they have not done so already. 

If anyone becomes aware of any situation where these vulnerabilities may have a significant impact on the EGI infrastructure, 
then please inform EGI SVG.


Component installation information
==================================

See [R 1]


Affected software details
========================

This vulnerability CVE-2021-32635 is fixed in singularity 3.7.4 - Singularity 3.7.2 and 3.7.3 are vulnerable.  

Singularity version 3.7.3 additionally fixes CVE-2021-29136


More information
================

This information is provided by the Singularity team on the 3.7.4 release:--

A security vulnerability in Singularity has been publicly announced [R 3]. Under conditions unlikely to occur for OSG users, 
it is possible for someone to publish a malicious container that takes priority over a container that a user is expecting to run.

The OSG Security team considers the vulnerability to be of MODERATE severity.

IMPACTED VERSIONS:

Singularity 3.7.2 and 3.7.3

WHAT ARE THE VULNERABILITIES:

By default, singularity commands that use "library://" for downloading containers read those containers from 
https://cloud.sylabs.io. That is a publicly accessible server and anyone may freely create an account there for 
storing containers, similar to Docker Hub. Users can also choose to redirect "library://" references to a private 
server with the singularity "remote" command. The vulnerability is that the singularity action commands (run/shell/exec) 
always try to download from https://cloud.sylabs.io first, so someone could publish a container there with the same name 
as a container on the private server and the untrusted container from the public server would instead be used.

WHAT YOU SHOULD DO:

If you have Singularity 3.7.2 or 3.7.3 installed and think some of your users might be using a private server for 
library:// containers, notify them to either not use it until 3.7.4 is available in EPEL or to create an 
identical account name for themselves on https://cloud.sylabs.io.




This information is provided by the Singularity team on the 3.7.3 release fixing CVE-2021-29136:--

The umoci [R 2] binary used by Singularity had an issue where layers with a symlink name of '.' or '/' 
could modify host files when unpacking an image.

This vulnerability affects the "singularity build" and "singularity pull" operations when run as root. 
Build/pull from a docker or OCI source is affected, as well as the implicit build to SIF that occurs through 
root use of run/exec/shell against a malicious docker/OCI image URI. An attacker could exploit this vulnerability 
by building an image with a symlink name of '.' or '/' which could overwrite host files.


TLP and URL
===========

** WHITE information - Unlimited distribution 
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **    

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-32635   

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


References
==========

[R 1] https://github.com/hpcng/singularity/releases/tag/v3.7.4

[R 2] https://github.com/hpcng/singularity/releases/tag/v3.7.3

[R 3] https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3

[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Barbara Krasovec

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-CVE-2021-29136] 

2021-04-07 SVG alerted to CVE-2021-29136 by Barbara Krasovec
2021-04-07 Acknowledgement from the EGI SVG to the reporter 
2021-04-07 Updated packages available in github 
2021-04-07 Further information provided by Terry Fleury
2021-05-26 SVG alerted to CVE-2021-32635 by Dave Dykstra
2021-06-22 Advisory placed on public wiki for completeness. 


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4]  in the context of how 
the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. 
The risk may also be higher or lower in other deployments depending on how the software is used.   

-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and 
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------

Note that the SVG issue handling procedure is currently under review, to take account of the increasing
 inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,