EGI SVG Advisories

Advisory-SVG-CVE-2021-32635

Title:   EGI SVG 'ADVISORY' [TLP:WHITE] Singularity security updates
         [EGI-SVG-CVE-2021-32635]

Date:    2021-06-22
Updated:


Affected software and risk
==========================

Package : Singularity
CVE ID  : CVE-2021-32635, CVE-2021-29136

A vulnerability has been found in Singularity where it is possible for someone
to publish a malicious container that takes priority over a container that a
user is expecting to run. [R 1] No way has been identified where this may be
exploited in EGI - CVE-2021-32635.

A vulnerability has been found in Singularity where there is the potential for
an attacker to overwrite host files, CVE-2021-29136 this was fixed earlier -
See [R 2]

Actions required/recommended
============================

Sites and users with their own Singularity installations are advised to Update
to Singularity v3.7.4 at their earliest convenience if they have not done so
already.

If anyone becomes aware of any situation where these vulnerabilities may have a
significant impact on the EGI infrastructure, then please inform EGI SVG.


Component installation information
==================================

See [R 1]


Affected software details
========================

This vulnerability CVE-2021-32635 is fixed in singularity 3.7.4 - Singularity
3.7.2 and 3.7.3 are vulnerable.

Singularity version 3.7.3 additionally fixes CVE-2021-29136


More information
================

This information is provided by the Singularity team on the 3.7.4 release:--

A security vulnerability in Singularity has been publicly announced [R 3].
Under conditions unlikely to occur for OSG users, it is possible for someone to
publish a malicious container that takes priority over a container that a user
is expecting to run.

The OSG Security team considers the vulnerability to be of MODERATE severity.

IMPACTED VERSIONS:

Singularity 3.7.2 and 3.7.3

WHAT ARE THE VULNERABILITIES:

By default, singularity commands that use "library://" for downloading
containers read those containers from https://cloud.sylabs.io. That is a
publicly accessible server and anyone may freely create an account there for
storing containers, similar to Docker Hub. Users can also choose to redirect
"library://" references to a private server with the singularity "remote"
command. The vulnerability is that the singularity action commands
(run/shell/exec) always try to download from https://cloud.sylabs.io first, so
someone could publish a container there with the same name as a container on
the private server and the untrusted container from the public server would
instead be used.

WHAT YOU SHOULD DO:

If you have Singularity 3.7.2 or 3.7.3 installed and think some of your users
might be using a private server for library:// containers, notify them to
either not use it until 3.7.4 is available in EPEL or to create an identical
account name for themselves on https://cloud.sylabs.io.




This information is provided by the Singularity team on the 3.7.3 release
fixing CVE-2021-29136:--

The umoci [R 2] binary used by Singularity had an issue where layers with a
symlink name of '.' or '/' could modify host files when unpacking an image.

This vulnerability affects the "singularity build" and "singularity pull"
operations when run as root.  Build/pull from a docker or OCI source is
affected, as well as the implicit build to SIF that occurs through root use of
run/exec/shell against a malicious docker/OCI image URI. An attacker could
exploit this vulnerability by building an image with a symlink name of '.' or
'/' which could overwrite host files.


TLP and URL
===========

** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **

URL:   https://advisories.egi.eu/Advisory-SVG-CVE-2021-32635

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 4]

Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC-hub era.


References
==========

[R 1] https://github.com/hpcng/singularity/releases/tag/v3.7.4

[R 2] https://github.com/hpcng/singularity/releases/tag/v3.7.3

[R 3] https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3

[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Barbara Krasovec

Timeline
========
Yyyy-mm-dd  [EGI-SVG-CVE-2021-29136]

2021-04-07 SVG alerted to CVE-2021-29136 by Barbara Krasovec
2021-04-07 Acknowledgement from the EGI SVG to the reporter
2021-04-07 Updated packages available in github
2021-04-07 Further information provided by Terry Fleury
2021-05-26 SVG alerted to CVE-2021-32635 by Dave Dykstra
2021-06-22 Advisory placed on public wiki for completeness.


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 4]  in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct.  The risk may also be higher or lower in other deployments depending
on how the software is used.

-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/
Software Vulnerability Group must be credited.
-----------------------------

Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC-hub catalogue.

On behalf of the EGI SVG,