OSG-SEC-2019-05-14 Vulnerability in Singularity
Dear OSG users,
Impacted: Singularity 3.x.x, all versions Severity: High
The OSG Security Team wants to inform you that a high severity vulnerability has been announced for privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.
We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.
WHAT YOU SHOULD DO:
If you are using privileged Singularity 3.x.x on a RHEL7-based distribution, while waiting for the new version either downgrade to version 2.6.1 or enable unprivileged Singularity [1] and set
allow setuid = no
in singularity.conf.
If you are using Singularity 3.x.x on a RHEL6-based distribution, downgrade to version 2.6.1.
HOW IT WORKS:
A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/
REFERENCES:
[1] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity
[2] https://github.com/sylabs/singularity/releases/tag/v3.2.0
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11328
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team