SingularityCE and SingularityPRO LSM Label Write Redirection Vulnerability

A vulnerability exists in SingularityCE versions prior to 4.3.5 and in SingularityPRO versions prior to 4.1.11 and 4.3.5. Under certain conditions, an attacker can manipulate the Linux Security Module (LSM) label writing process to render it ineffective. This is achieved by causing a user to execute a malicious container image that redirects the mount of the proc filesystem to a shared mount, either pre-existing on the target system or specified by the user. The attacker must also control the shared mount's content, potentially through another malicious container or as a user with the necessary permissions on the host. This vulnerability undermines LSM restrictions, which are intended to prevent harmful operations.

Impact

Exploitation of this vulnerability allows for the ineffective application of LSM process labels, such as those used by AppArmor and SELinux, which can lead to unauthorized operations or access within the container or on the host system.

Reproduction

To reproduce this vulnerability, a user must run a container image that has been crafted to redirect the mount of the proc filesystem. This can be done by specifying a shared mount that the attacker controls, either through another container or by manipulating mount permissions on the host. The container must be run in a way that bypasses default security measures, such as those provided by LSMs.

Remediation

Users can update to SingularityCE 4.3.5 or SingularityPRO 4.1.11 or 4.3.5, where this vulnerability has been addressed.