Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2020-1037.NASL
HistoryJul 27, 2020 - 12:00 a.m.

openSUSE Security Update : singularity (openSUSE-2020-1037)

2020-07-2700:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13

7.9 High

AI Score

Confidence

High

JSON

This update for singularity fixes the following issues :

  • New version 3.6.0. This version introduces a new signature format for SIF images, and changes to the signing / verification code to address the following security problems :

  • CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user.

  • CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified.

  • CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0, Singularity’s sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior.

  • New features / functionalities

  • A new ‘–legacy-insecure’ flag to verify allows verification of SIF signatures in the old, insecure format.

  • A new ‘-l / --logs’ flag for instance list that shows the paths to instance STDERR / STDOUT log files.

  • The --json output of instance list now include paths to STDERR / STDOUT log files.

  • Singularity now supports the execution of minimal Docker/OCI containers that do not contain /bin/sh, e.g.
    docker://hello-world.

  • A new cache structure is used that is concurrency safe on a filesystem that supports atomic rename. If you downgrade to Singularity 3.5 or older after using 3.6 you will need to run singularity cache clean.

  • A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.

  • The --bind flag can now bind directories from a SIF or ext3 image into a container.

  • The --fusemount feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag).

  • This permits users to mount e.g. sshfs and cvmfs filesystems to the container at runtime.

  • A new -c/–config flag allows an alternative singularity.conf to be specified by the root user, or all users in an unprivileged installation.

  • A new --env flag allows container environment variables to be set via the Singularity command line.

  • A new --env-file flag allows container environment variables to be set from a specified file.

  • A new --days flag for cache clean allows removal of items older than a specified number of days. Replaces the --name flag which is not generally useful as the cache entries are stored by hash, not a friendly name.

  • Changed defaults / behaviours

  • New signature format (see security fixes above).

  • Fixed spacing of singularity instance list to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names.

  • Environment variables prefixed with SINGULARITYENV_ always take precedence over variables without SINGULARITYENV_ prefix.

  • The %post build section inherits environment variables from the base image.

  • %files from … will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour.

  • Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container.

  • The %test build section is executed the same manner as singularity test image.

    –fusemount with the container: default directive will foreground the FUSE process. Use container-daemon: for previous behavior.

  • Deprecate -a / --all option to sign/verify as new signature behavior makes this the default.

  • For more information about upstream changes, please check:
    https://github.com/hpcng/singularity/blob/master/CHANGEL OG.md

  • Removed --name flag for cache clean; replaced with
    –days.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-1037.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('compat.inc');

if (description)
{
  script_id(138979);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/28");

  script_cve_id(
    "CVE-2019-11328",
    "CVE-2019-19724",
    "CVE-2020-13845",
    "CVE-2020-13846",
    "CVE-2020-13847"
  );

  script_name(english:"openSUSE Security Update : singularity (openSUSE-2020-1037)");

  script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"This update for singularity fixes the following issues :

  - New version 3.6.0. This version introduces a new
    signature format for SIF images, and changes to the
    signing / verification code to address the following
    security problems :

  - CVE-2020-13845, boo#1174150 In Singularity 3.x versions
    below 3.6.0, issues allow the ECL to be bypassed by a
    malicious user.

  - CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all
    / -a option to singularity verify returns success even
    when some objects in a SIF container are not signed, or
    cannot be verified.

  - CVE-2020-13847, boo#1174152 In Singularity 3.x versions
    below 3.6.0, Singularity's sign and verify commands do
    not sign metadata found in the global header or data
    object descriptors of a SIF file, allowing an attacker
    to cause unexpected behavior. A signed container may
    verify successfully, even when it has been modified in
    ways that could be exploited to cause malicious
    behavior.

  - New features / functionalities

  - A new '--legacy-insecure' flag to verify allows
    verification of SIF signatures in the old, insecure
    format.

  - A new '-l / --logs' flag for instance list that shows
    the paths to instance STDERR / STDOUT log files.

  - The --json output of instance list now include paths to
    STDERR / STDOUT log files.

  - Singularity now supports the execution of minimal
    Docker/OCI containers that do not contain /bin/sh, e.g.
    docker://hello-world.

  - A new cache structure is used that is concurrency safe
    on a filesystem that supports atomic rename. If you
    downgrade to Singularity 3.5 or older after using 3.6
    you will need to run singularity cache clean.

  - A plugin system rework adds new hook points that will
    allow the development of plugins that modify behavior of
    the runtime. An image driver concept is introduced for
    plugins to support new ways of handling image and
    overlay mounts. Plugins built for <=3.5 are not
    compatible with 3.6.

  - The --bind flag can now bind directories from a SIF or
    ext3 image into a container.

  - The --fusemount feature to mount filesystems to a
    container via FUSE drivers is now a supported feature
    (previously an experimental hidden flag).

  - This permits users to mount e.g. sshfs and cvmfs
    filesystems to the container at runtime.

  - A new -c/--config flag allows an alternative
    singularity.conf to be specified by the root user, or
    all users in an unprivileged installation.

  - A new --env flag allows container environment variables
    to be set via the Singularity command line.

  - A new --env-file flag allows container environment
    variables to be set from a specified file.

  - A new --days flag for cache clean allows removal of
    items older than a specified number of days. Replaces
    the --name flag which is not generally useful as the
    cache entries are stored by hash, not a friendly name.

  - Changed defaults / behaviours

  - New signature format (see security fixes above).

  - Fixed spacing of singularity instance list to be
    dynamically changing based off of input lengths instead
    of fixed number of spaces to account for long instance
    names.

  - Environment variables prefixed with SINGULARITYENV_
    always take precedence over variables without
    SINGULARITYENV_ prefix.

  - The %post build section inherits environment variables
    from the base image.

  - %files from ... will now follow symlinks for sources
    that are directly specified, or directly resolved from a
    glob pattern. It will not follow symlinks found through
    directory traversal. This mirrors Docker multi-stage
    COPY behaviour.

  - Restored the CWD mount behaviour of v2, implying that
    CWD path is not recreated inside container and any
    symlinks in the CWD path are not resolved anymore to
    determine the destination path inside container.

  - The %test build section is executed the same manner as
    singularity test image.

    --fusemount with the container: default directive will
    foreground the FUSE process. Use container-daemon: for
    previous behavior.

  - Deprecate -a / --all option to sign/verify as new
    signature behavior makes this the default.

  - For more information about upstream changes, please
    check:
    https://github.com/hpcng/singularity/blob/master/CHANGEL
    OG.md

  - Removed --name flag for cache clean; replaced with
    --days.");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1125369");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1128598");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159550");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1174148");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1174150");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1174152");
  script_set_attribute(attribute:"see_also", value:"https://github.com/hpcng/singularity/blob/master/CHANGELOG.md");
  script_set_attribute(attribute:"solution", value:
"Update the affected singularity packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11328");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:singularity");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:singularity-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SuSE Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE15.1", reference:"singularity-3.6.0-lp151.2.6.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"singularity-debuginfo-3.6.0-lp151.2.6.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "singularity / singularity-debuginfo");
}
VendorProductVersionCPE
novellopensusesingularityp-cpe:/a:novell:opensuse:singularity
novellopensusesingularity-debuginfop-cpe:/a:novell:opensuse:singularity-debuginfo
novellopensuse15.1cpe:/o:novell:opensuse:15.1

Related

suse 5
openvas 6
nessus 5
alpinelinux 4
veracode 5
github 4
debiancve 5
osv 9
fedora 3
cvelist 5
prion 5
cve 5
ubuntucve 4
suse
suse
Security update for singularity (important)
2020-07-23 00:00:00
Security update for singularity (important)
2020-09-18 00:00:00
Security update for singularity (important)
2020-07-19 00:00:00
openvas
openvas
openSUSE: Security Advisory for singularity (openSUSE-SU-2020:1037-1)
2020-07-24 00:00:00
openSUSE: Security Advisory for singularity (openSUSE-SU-2020:1011-1)
2020-07-20 00:00:00
Fedora Update for singularity FEDORA-2019-25ecc42592
2019-05-26 00:00:00
nessus
nessus
openSUSE Security Update : singularity (openSUSE-2020-1011)
2020-07-20 00:00:00
Fedora 30 : singularity (2019-da2ed3b0b5)
2019-05-24 00:00:00
openSUSE Security Update : singularity (openSUSE-2020-57)
2020-01-15 00:00:00
alpinelinux
alpinelinux
CVE-2020-13845
2020-07-14 18:15:00
CVE-2020-13847
2020-07-14 18:15:00
CVE-2019-19724
2019-12-18 21:15:00
veracode
veracode
Insecure Permission
2019-12-19 02:48:16
Privilege Escalation
2019-05-17 09:57:34
Business Logic Errors
2022-02-26 07:08:05
github
github
Execution Control List (ECL) Is Insecure in Singularity
2021-12-20 18:24:30
Incorrect Permission Assignment for Critical Resource in Singularity
2021-12-20 18:25:33
"Verify All" Returns Success Despite Validation Failures in Singularity
2021-12-20 18:24:43
debiancve
debiancve
CVE-2020-13847
2020-07-14 18:15:00
CVE-2019-11328
2019-05-14 21:29:00
CVE-2020-13845
2020-07-14 18:15:00
osv
osv
Execution Control List (ECL) Is Insecure in Singularity
2021-12-20 18:24:30
Incorrect Permission Assignment for Critical Resource in Singularity
2021-12-20 18:25:33
CVE-2020-13845
2020-07-14 18:15:14
fedora
fedora
[SECURITY] Fedora 30 Update: singularity-3.1.1-1.1.fc30
2019-05-23 17:50:07
[SECURITY] Fedora 29 Update: singularity-3.1.1-1.1.fc29
2019-05-24 21:50:16
[SECURITY] Fedora 28 Update: singularity-3.1.1-1.1.fc28
2019-05-23 18:28:11
cvelist
cvelist
CVE-2020-13846
2020-07-14 17:30:09
CVE-2019-19724
2019-12-18 20:52:24
CVE-2020-13847
2020-07-14 17:16:03
prion
prion
Privilege escalation
2019-05-14 21:29:00
Design/Logic Flaw
2020-07-14 18:15:00
Input validation
2020-07-14 18:15:00
cve
cve
CVE-2019-11328
2019-05-14 21:29:00
CVE-2020-13845
2020-07-14 18:15:00
CVE-2020-13847
2020-07-14 18:15:00
ubuntucve
ubuntucve
CVE-2020-13845
2020-07-14 00:00:00
CVE-2020-13847
2020-07-14 00:00:00
CVE-2019-19724
2019-12-18 00:00:00

7.9 High

AI Score

Confidence

High

JSON
Related for OPENSUSE-2020-1037.NASL
suse5openvas6nessus5alpinelinux4veracode5github4debiancve5osv9fedora3cvelist5prion5cve5ubuntucve4