CVE-2020-15229

Path traversal and files overwrite with unsquashfs

Severity Score

9.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user. There is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that.

Singularity (una plataforma de contenedores de código abierto) desde la versión 3.1.1 hasta la 3.6.3, presenta una vulnerabilidad. Debido al manejo no seguro de un salto de ruta y la falta de saneamiento de rutas dentro de "unsquashfs", es posible sobrescribir y crear cualquier archivo en el sistema de archivos del host durante la extracción con un sistema de archivos squashfs diseñado. La extracción ocurre automáticamente para una ejecución sin privilegios (ya sea de instalación o con "allow setuid = no") de Singularity cuando un usuario intenta ejecutar una imagen que es una imagen SIF local o un solo archivo que contiene un sistema de archivos squashfs y proviene de fuentes remotas "library://" or "shub://". La construcción de la imagen también está afectada de una manera más seria, ya que puede ser usada por un usuario root, lo que permite a un atacante sobrescribir y crear archivos que conducen a un compromiso del sistema, hasta ahora los métodos de arranque "library", "shub" y "localimage" están activando la extracción de squashfs. Este problema se aborda en Singularity versión 3.6.4. Se recomienda a todos los usuarios que actualicen a la versión 3.6.4, especialmente si usan Singularity principalmente para crear imágenes como usuario root. No existe una solución alternativa sólida, excepto para evitar temporalmente el uso del modo sin privilegios con imágenes de un solo archivo en lugar de imágenes de sandbox. Con respecto a la construcción de la imagen, evite temporalmente construir a partir de fuentes de "library" y "shub" y tanto como sea posible use "--fakeroot" o una máquina virtual para eso

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-25 CVE Reserved
2020-10-14 CVE Published
2024-08-04 CVE Updated
2024-09-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (7)

URL	Tag	Source
https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes	Release Notes
https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e	2022-11-16
https://github.com/hpcng/singularity/pull/5611	2022-11-16

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html	2022-11-16
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html	2022-11-16
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html	2022-11-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sylabs Search vendor "Sylabs"		Singularity Search vendor "Sylabs" for product "Singularity"				>= 3.1.1 <= 3.6.3 Search vendor "Sylabs" for product "Singularity" and version " >= 3.1.1 <= 3.6.3"		-		Affected
Opensuse Search vendor "Opensuse"		Backports Sle Search vendor "Opensuse" for product "Backports Sle"				15.0 Search vendor "Opensuse" for product "Backports Sle" and version "15.0"		sp2		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected