OpenSUSE Linux update for singularity
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2019-11328 CVE-2019-19724 CVE-2020-13845 CVE-2020-13846 CVE-2020-13847 |
| CWE-ID | CWE-264 CWE-276 CWE-347 CWE-20 CWE-354 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Opensuse Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU31792
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11328
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions and allows authenticated users to edit files within the `/run/singularity/instances/sing//` directory. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.
MitigationUpdate the affected packages.
Opensuse: 15.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect default permissions
EUVDB-ID: #VU31793
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19724
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure permissions for files and folders that are set by the application on $HOME/.singularity file when it is newly created by Singularity. A local user with access to the system can view contents of files and directories or modify them.
MitigationUpdate the affected packages.
Opensuse: 15.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU31716
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13845
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the image integrity is not validated when an ECL policy is enforced. A remote attacker can bypass implemented security restrictions.
MitigationUpdate the affected packages.
Opensuse: 15.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU31717
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13846
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due the affected software fails to report an error in a Status Code. A remote attacker can run arbitrary SIF containers that have unsigned, or modified, objects.
MitigationUpdate the affected packages.
Opensuse: 15.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper validation of integrity check value
EUVDB-ID: #VU31718
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13847
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. A remote attacker can cause unexpected behavior.
MitigationUpdate the affected packages.
Opensuse: 15.1
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
