OSG-SEC-2018-12-12 Critical vulnerability in Singularity

Dear OSG Security Contacts,

The following announcement impacts sites running Singularity on RHEL7.

VERSIONS IMPACTED:

Singularity versions 2.4.0 through 2.6.0

WHAT IS THE VULNERABILITY:

This issue affects Singularity 2.4.0 through 2.6.0 on RHEL7 or any modern systemd-based distribution where mount points use shared mount propagation by default (CVE-2018-19295). A malicious user with access to the host system (e.g. SSH or running a payload) could exploit this vulnerability to mount arbitrary directories into the host, resulting in privilege escalation.

The vulnerability affects the setuid-root mode of singularity. The RHEL7.6 kernel supports the non-setuid root mode of singularity, but this mode has not yet been sufficiently tested for it to be a recommended workaround at this time.

OSG Security considers this vulnerability CRITICAL for sites running Singularity.

WHAT YOU SHOULD DO:

All sites should install Singularity version 2.6.1 as soon as possible and remove any old versions installed. Singularity 2.6.1 is available in the osg-testing repository; testing is still in progress. Release is planned for later today, December 12. To install from the testing repository, issue the following yum command:

yum install --enablerepo=osg-testing singularity

The release announcement from the Singularity project mentions a workaround of disabling shared mount propagation, but that adversely affects the visibility of cvmfs automount mount points inside of containers, so we do not recommend it; do the upgrade instead.

REFERENCES:

https://github.com/sylabs/singularity/releases/tag/2.6.1 https://opensciencegrid.org/docs/worker-node/install-singularity/

Please contact [email protected] if you have any questions or concerns.

Sincerely, Ryan Kiser on behalf of the OSG Security Team