OSG-SEC-2018-04-02 Critical Vulnerability in Singularity
Dear OSG Security Contacts,
A vulnerability has been reported in Singularity that has been rated as "Critical". This vulnerability allows an attacker to create arbitrary world-writable directories and files anywhere outside of a container and in that way obtain root privileges. The vulnerability is in the Singularity 'overlay' option. The vulnerability does not enable modifying existing files, it just allows creating new directories and files, but that is sufficient for privilege escalation.
All Singularity versions from 2.2.1 and later on RHEL7 and its derivatives are affected. All versions of singularity el7 rpms from OSG have the overlay option enabled by default. The 2.2.1 version from EPEL has the option disabled by default but a system administrator may have enabled it. RHEL6 and its derivatives are not affected because they do not support OverlayFS. Non setuid-root installations are also not affected.
WHAT YOU SHOULD DO:
There is no patched version yet. Instead, you should urgently apply the following mitigation:
Disable the overlay option by replacing the 'enable overlay' setting in '/etc/singularity/singularity.conf' with 'enable overlay = no'. The VOs that currently use Singularity in production do not require this option.
We will send another announcement when a new version with a patch is available.
OSG was alerted about this issue by the EGI Software Vulnerability Group.
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team