OSG-SEC-2018-12-12 Critical vulnerability in Singularity
Dear OSG Security Contacts,
The following announcement impacts sites running Singularity on RHEL7.
VERSIONS IMPACTED:
Singularity versions 2.4.0 through 2.6.0
WHAT IS THE VULNERABILITY:
This issue affects Singularity 2.4.0 through 2.6.0 on RHEL7 or any modern systemd-based distribution where mount points use shared mount propagation by default (CVE-2018-19295). A malicious user with access to the host system (e.g. SSH or running a payload) could exploit this vulnerability to mount arbitrary directories into the host, resulting in privilege escalation.
The vulnerability affects the setuid-root mode of singularity. The RHEL7.6 kernel supports the non-setuid root mode of singularity, but this mode has not yet been sufficiently tested for it to be a recommended workaround at this time.
OSG Security considers this vulnerability CRITICAL for sites running Singularity.
WHAT YOU SHOULD DO:
All sites should install Singularity version 2.6.1 as soon as possible and remove any old versions installed. Singularity 2.6.1 is available in the osg-testing repository; testing is still in progress. Release is planned for later today, December 12. To install from the testing repository, issue the following yum command:
yum install --enablerepo=osg-testing singularity
The release announcement from the Singularity project mentions a workaround of disabling shared mount propagation, but that adversely affects the visibility of cvmfs automount mount points inside of containers, so we do not recommend it; do the upgrade instead.
REFERENCES:
https://github.com/sylabs/singularity/releases/tag/2.6.1 https://opensciencegrid.org/docs/worker-node/install-singularity/
Please contact [email protected] if you have any questions or concerns.
Sincerely, Ryan Kiser on behalf of the OSG Security Team