Multiple vulnerabilities in Sylabs Singularity



Published: 2020-07-21
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-13845
CVE-2020-13846
CVE-2020-13847
CWE-ID CWE-347
CWE-20
CWE-354
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Singularity
Universal components / Libraries / Libraries used by multiple products

Vendor Singularity

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU31716

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13845

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the image integrity is not validated when an ECL policy is enforced. A remote attacker can bypass implemented security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Singularity: 3.0.0 - 3.5.3


CPE2.3 External links

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c
http://medium.com/sylabs

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU31717

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13846

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due the affected software fails to report an error in a Status Code. A remote attacker can run arbitrary SIF containers that have unsigned, or modified, objects.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Singularity: 3.5.0 - 3.5.3


CPE2.3 External links

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92
http://medium.com/sylabs

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper validation of integrity check value

EUVDB-ID: #VU31718

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13847

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. A remote attacker can cause unexpected behavior.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Singularity: 3.0.0 - 3.5.3


CPE2.3 External links

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v
http://medium.com/sylabs

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###