Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk vulnerability in
Singularity on CentOS/EL7 CVE-2018-19295 [EGI-SVG-CVE-2018-19295]
Date: 2018-12-13
Updated: 2019-01-03 - set to WHITE and placed on wiki
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Singularity on CentOS/EL7
Package : Singularity
CVE ID : CVE-2018-19295
This issue affects Singularity 2.4.0 through 2.6.0 on CentOS/EL7 or any modern
systemd-based distribution where mount points use shared mount propagation by
default (CVE-2018-19295) [R 1] [R 2].
A malicious user with access to the host system (e.g. through SSH or via
running a job) could exploit this vulnerability to mount arbitrary directories
into the host, allowing privilege escalation.
The vulnerability affects the setuid-root mode of Singularity. The
CentOS/EL7.6 kernel supports Singularity being used non-setuid root mode, but
not for all use cases that a site may need to support. Furthermore, even for
supported use cases a switch to non-setuid root mode may not be transparent.
Therefore such a switch cannot be advised at this time. However, a viable
mitigation is provided below.
Actions required/recommended
============================
Sites providing Singularity setuid-root on CentOS/EL7 should update to version
2.6.1 urgently, or apply the suggested mitigation, or uninstall the Singularity
RPM(s).
Component installation information
==================================
Singularity version 2.6.1 is available from EPEL7 [R 3].
Mitigation
==========
The known exploits affect setuid executables in the singularity RPM and the
singularity-runtime RPM.
However, it does not affect the setuid executable in singularity-runtime that
is used for executing containers.
The affected setuid executable in singularity-runtime allows starting
background instances, which is not known to be used by batch jobs, and can
therefore be removed. The singularity RPM is only needed on hosts where image
creation capability is needed.
Hence, for hosts such as worker nodes, one can mitigate the vulnerability by
removing affected binaries:
1. remove the singularity RPM if it is installed, leaving only the
singularity-runtime RPM.
2. remove the remaining affected executable:
rm /usr/libexec/singularity/bin/start-suid
That executable will be reinstalled after an RPM upgrade.
TLP and URL
===========
** WHITE information - Unlimited distribution -
see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2018-19295
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 4]
Note that this has been updated and the latest version approved by the
Operations Management Board in November 2017
References
==========
[R 1] https://github.com/sylabs/singularity/releases/tag/2.6.1
[R 2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19295
[R 3] https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/s/
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145
Credit
======
SVG was alerted to this vulnerability by Dave Dykstra (FNAL, OSG)
Timeline
========
Yyyy-mm-dd [EGI-SVG-2018-CVE-2018-19295]
2018-12-11 SVG alerted to this issue by Dave Dykstra (FNAL, OSG)
2018-12-11 Acknowledgement from the EGI SVG to the reporter
2018-12-12 Investigation of vulnerability and relevance to EGI carried out
2018-12-12 OSG advisory information received from Jeny Teheran (FNAL, OSG)
2018-12-13 EGI SVG Risk Assessment completed
2018-12-13 Advisory sent to sites and VO security contacts
2019-01-03 Advisory re-set to WHITE and placed on the wiki
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 6] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
On behalf of the EGI SVG,