Multiple vulnerabilities in Sylabs Singularity
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-13845 CVE-2020-13846 CVE-2020-13847 |
| CWE-ID | CWE-347 CWE-20 CWE-354 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Singularity Universal components / Libraries / Libraries used by multiple products |
| Vendor | Singularity |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU31716
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13845
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the image integrity is not validated when an ECL policy is enforced. A remote attacker can bypass implemented security restrictions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSingularity: 3.0.0 - 3.5.3
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c
http://medium.com/sylabs
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU31717
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13846
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due the affected software fails to report an error in a Status Code. A remote attacker can run arbitrary SIF containers that have unsigned, or modified, objects.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSingularity: 3.5.0 - 3.5.3
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92
http://medium.com/sylabs
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper validation of integrity check value
EUVDB-ID: #VU31718
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13847
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. A remote attacker can cause unexpected behavior.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSingularity: 3.0.0 - 3.5.3
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v
http://medium.com/sylabs
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
