Skip to content

OSG-SEC-2018-05-07 Unprivileged User Namespaces vulnerability

Dear OSG Security Contacts,

A vulnerability has been found with the unprivileged user namespaces technology preview feature of RHEL7 that enables privilege escalation. This feature is not enabled by default, but the OSG singularity install instructions [1] explain how to enable the feature in order to run singularity unprivileged. For those who have enabled this feature, a patch is available and OSG security considers patching this vulnerability to be IMPORTANT.

IMPACTED VERSIONS:

Red Hat Enterprise Linux and its derivatives, version 7.4 and later

WHAT ARE THE VULNERABILITIES:

The realpath() function in glibc has a buffer underflow condition which can be exploited to escalate privileges by means of unprivileged user namespaces and setuid-root system programs linked with glibc. A public exploit is available for Debian systems which could theoretically be adapted to RHEL.

WHAT YOU SHOULD DO:

Upgrade glibc on systems that have unprivileged user namespaces enabled, to version glibc-2.17-222. This version was released by Red Hat with EL7.5, and even though that OS version is not yet released by Scientific Linux the glibc update is available now in the SL7 "sl-security" yum repository. It is also available in the CentOS7 "cr" yum repository.

  • https://access.redhat.com/security/cve/cve-2018-1000001
  • https://access.redhat.com/errata/RHSA-2018:0805
  • https://www.scientificlinux.org/category/sl-errata/slsa-20180805-1 https://ticket.opensciencegrid.org/37551

REFERENCES

  • [1] http://opensciencegrid.github.io/docs/worker-node/install-singularity/#unprivileged-singularity

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team