Skip to content

OSG-SEC-2019-05-14 Vulnerability in Singularity

Dear OSG users,

Impacted: Singularity 3.x.x, all versions Severity: High

The OSG Security Team wants to inform you that a high severity vulnerability has been announced for privileged installations of all Singularity 3.x.x versions. A new version with a fix to the vulnerability is being prepared by OSG. The current primary Singularity version supported by OSG, version 2.6.1, is not vulnerable. OSG does however support a 3.x.x version in the osg-upcoming yum repository and some sites have installed it.

We will send a follow up announcement when a new version is available, but meanwhile there is a mitigation, below.

WHAT YOU SHOULD DO:

If you are using privileged Singularity 3.x.x on a RHEL7-based distribution, while waiting for the new version either downgrade to version 2.6.1 or enable unprivileged Singularity [1] and set

    allow setuid = no

in singularity.conf.

If you are using Singularity 3.x.x on a RHEL6-based distribution, downgrade to version 2.6.1.

HOW IT WORKS:

A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing//. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host [2] [3].

REFERENCES:

[1] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity

[2] https://github.com/sylabs/singularity/releases/tag/v3.2.0

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11328

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team