OSG-SEC-2018-03-05 Vulnerability in Singularity

Dear OSG Security Contacts,

There is a new vulnerability in Singularity 2.3.2 that allows code inside the container to escape.

IMPACTED VERSIONS:

Singularity 2.3.2

WHAT IS THE VULNERABILITY:

An open file descriptor to the image directory is passed through to the process running inside the container. With that file descriptor it is easy to escape the container: a program can fchdir() to the file descriptor and run another shell. Then "cd .." out of the container can see, e.g., the host system’s /tmp with other grid users' X.509 proxies, which will be readable if they are owned by the same glidein/pilot.

WHAT YOU SHOULD DO:

Update to the latest version singularity-2.4.2 [1] as soon as possible. Note that there are some command line incompatibilities with version 2.3.2, mostly in the commands related to managing images.

https://ticket.opensciencegrid.org/36327

REFERENCE(S):

[1] http://opensciencegrid.github.io/docs/worker-node/install-singularity/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team

OSG-SEC-2018-03-05 Vulnerability in Singularity

IMPACTED VERSIONS:

WHAT IS THE VULNERABILITY:

WHAT YOU SHOULD DO:

RELATED LINK(S):

REFERENCE(S):