Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk Apptainer /Singularity
setuid-root installations vulnerability [EGI-SVG-CVE-2023-30549]
Date: 2023-04-27
Updated: 2023-06-01, 2023-07-04
Affected software and risk
==========================
HIGH risk vulnerability concerning Apptainer /Singularity
Package : Apptainer
CVE ID : CVE-2023-30549
A vulnerability is present in setuid-root installations of Apptainer and
Singularity which causes an elevation of an existing ext4 filesystem driver
vulnerability which is unpatched in several older but actively supported
systems including RHEL7.
**UPDATE 2023-06-01** It would appear that more recent operating systems
are also vulnerable.
Actions required/recommended
============================
Affected sites are recommended to update to Apptainer v1.1.8.
Sites that are using setuid-root mode on RHEL7 should update urgently.
**UPDATE 2023-06-01** An addendum has been added to the github, the result of
which is that we are recommending that sites which have setuid-root singularity
or apptainer installed on newer operating systems should also update to
apptainer-1.1.8 urgently. I.e. this applies in all cases, not just on RHEL7
and derivatives. See [2] in more information.
Component installation information
==================================
Apptainer v1.1.8 is now available:
https://github.com/apptainer/apptainer/releases/tag/v1.1.8
More information
=================
**UPDATE 2023-06-01** This is the updated version which was sent to
OSG Security Contacts on 31st May 2023.
Dear OSG Security Contacts,
This announcement is an update to last month's OSG-SEC-2023-04-26 HIGH
setuid-mode Apptainer exploit [1] regarding a use-after-free flaw in the
kernel to all local users. There's an addendum to the v1.1.8 Apptainer
security announcement with additional details about the vulnerability
which extends urgency to all current operating systems, not only older
ones [2].
## IMPACTED VERSIONS:
Apptainer v1.1.7 and earlier
All versions of Singularity
## WHAT ARE THE VULNERABILITIES:
Use-after-free flaws in the kernel can be used to attack the kernel for
denial of service and potentially for privilege escalation. There is an
ext4 use-after-free flaw described in CVE-2022-1184 [4][5][6][7] that is
exploitable through versions of Apptainer < 1.1.0, installations that
include apptainer-suid < 1.1.8, and all versions of Singularity in their
default configurations on operating systems where that CVE has not been
patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster
(unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and
Ubuntu 20.04 focal.
UPDATED INFO: additional similar ext4 vulnerabilities have been discovered
that are not yet patched on most operating systems including RHEL8, RHEL9,
Debian 11, and Ubuntu 22.04.
## WHAT YOU SHOULD DO:
Review the Apptainer advisory [2] and update Apptainer to v1.1.8.
UPDATED INFO: All sites that are using setuid-root mode in Singularity or
Apptainer should update urgently.
The updated packages can be found on the Apptainer github repository [3],
and are available in the epel-testing repository for distributions that
can make use of EPEL.
The following workarounds are also available:
1. Either do not install apptainer-suid (for versions 1.1.0 through 1.1.7)
or set allow setuid = no in apptainer.conf (or singularity.conf for
singularity versions). This requires having unprivileged user namespaces
enabled and except for apptainer 1.1.x versions will disallow mounting of
sif files, extfs files, and squashfs files in addition to other, less
significant impacts. (Encrypted sif files are also not supported
unprivileged in apptainer 1.1.x.)
2. Alternatively, use the "limit containers" options in
apptainer.conf/singularity.conf to limit sif files to trusted users,
groups, and/or paths. (The option "allow container extfs = no" disallows
mounting extfs overlay files but does not disallow mounting of extfs overlay
partitions inside SIF files, so it does not help work around the problem.)
## REFERENCES
[1] https://osg-htc.org/security/vulns/OSG-SEC-2023-04-26/
[2] https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
[3] https://github.com/apptainer/apptainer/releases/tag/v1.1.8
[4] https://nvd.nist.gov/vuln/detail/CVE-2022-1184
[5] https://access.redhat.com/security/cve/cve-2022-1184
[6] https://security-tracker.debian.org/tracker/CVE-2022-1184
[7] https://ubuntu.com/security/CVE-2022-1184
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-30549
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by Dave Dykstra
Timeline
========
Yyyy-mm-dd [EGI-SVG-2023-CVE-2023-30549]
2023-04-20 SVG alerted to this issue by Dave Dykstra via 'heads up'
2023-04-25 Announcement of patch forwarded by Dave Dykstra
2023-04-26 EGI SVG Risk Assessment completed
2023-04-27 Advisory based on OSG version
2023-04-27 Advisory sent to sites
2023-05-31 OSG shared their updated notification to their security contacts
2023-06-01 Advisory updated
2023-07-04 Advisory placed on advisories.egi.eu
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,