Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 3 May 2018 17:12:06 +0000
From: "Priedhorsky, Reid" <reidpr@...l.gov>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Singularity's Linux kernel vulnerability claim

Folks,

Singularity is a container runtime targeting the high-performance computing market. It appears to be the sole product of Sylabs, Inc. [1] and has both “community” (open source) and “pro” (closed source) versions.

Recently, the Singularity team announced on their blog [2], following up an earlier mailing list post [3], that they’ve found:

> an exploit vector to all container runtimes, that allows a malicious user to gain additional privileges within a container on hosts running kernels that do not support the PR_SET_NO_NEW_PRIVS feature

No technical details are publically available:

> Sylabs has not provided details about this exploit because there is no workaround short of upgrading the kernel or uninstalling Singularity. So giving more information will only help malicious parties.

We understand that details have been offered by Sylabs to at least one third party under NDA. This third party declined, but others may have accepted.

Sylabs does not plan to request a CVE (link in original):

> As of now, Sylabs will not request a  CVE for this issue because it only affects old kernels and CVE’s associated with PR_SET_NO_NEW_PRIVS have already been provided and resolved [4].


My questions:

1. Does anyone know what is going on with this alleged vulnerability?
2. Has anything been independently corroborated?
3. Would a CVE request be appropriate?

Thanks,
Reid

[1]: https://www.sylabs.io/
[2]: https://www.sylabs.io/2018/05/whatsnew-singularity-2-5-why-affects-everyone-using-containers/
[3]: https://groups.google.com/a/lbl.gov/forum/#!topic/singularity/2h8KYUblVxA
[4]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.