Vulnerability CVE-2021-32635

Vulnerability Name:

CVE-2021-32635 (CCN-202832)

Assigned:

2021-05-26

Published:

2021-05-26

Updated:

2022-04-22

Summary:

Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.

CVSS v3 Severity:

6.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
5.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

6.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-Other
CWE-20
CWE-923

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-32635

Source: XF
Type: UNKNOWN
singularity-cve202132635-code-exec(202832)

Source: MISC
Type: Third Party Advisory
https://github.com/sylabs/singularity/releases/tag/v3.7.4

Source: CCN
Type: singularity GIT Repository
Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint

Source: CONFIRM
Type: Third Party Advisory
https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394

Source: GENTOO
Type: Third Party Advisory
GLSA-202107-50

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-32635

Vulnerable Configuration:

Configuration 1:

cpe:/a:sylabs:singularity:3.7.2:*:*:*:*:*:*:*

OR cpe:/a:sylabs:singularity:3.7.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sylabs:singularity:3.7.2:*:*:*:*:*:*:*

OR cpe:/a:sylabs:singularity:3.7.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:113439	P	singularity-3.8.3-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106840	P	singularity-3.8.3-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:111536	P	Security update for singularity (Important)	2021-07-08
oval:org.opensuse.security:def:11238	P	Security update for singularity (Important)	2021-07-08

BACK