Response to CVE-2023-30549

By Staff

Apr 25, 2023 | News

The Apptainer project has recently published CVE-2023-30549. The associated security advisory claims that there is a generic security issue in all Apptainer and Singularity variants because they may allow the exploitation of unpatched file system vulnerabilities in the Linux kernel.
A single medium severity vulnerability, CVE-2022-1184, is specifically referenced. This is a kernel extfs use-after-free flaw that can be exploited to cause a denial of service. At this time, it has not been patched in EL7, Ubuntu 18.04 / 20.04, or Debian buster (oldstable), but has been patched in various other distribution versions:

Impact

There is no impact to systems that are not vulnerable to CVE-2022-1184. On systems that are vulnerable to CVE-2022-1184, a specially crafted extfs container image, or extfs overlay partition within a SIF file, may trigger a denial of service when run with SingularityCE / SingularityPRO in set-uid mode.

Analysis

Sylabs’ opinion is that CVE-2023-30549 is a duplicate of CVE-2022-1184, and does not describe a security vulnerability in SingularityCE / SingularityPRO. The security vulnerability identified in the advisory is in the kernel, and must be patched there. It is also relevant to non-Singularity workflows, such as automatic or user-initiated mounts of USB drives under desktop environments.

For users who are unable to patch against vulnerabilities such as CVE-2022-1184, the ability to disable all mounts of extfs file systems in setuid mode may be a valid defense-in-depth strategy. A configuration option to this effect will be added to the next release of SingularityCE and SingularityPRO. Note that the use of this configuration option may cause adverse effects to Singularity workflows that make use of container images that use an EXT format.
The Apptainer project has used the advisory to advocate for non-setuid execution of containers, using unprivileged user namespaces and FUSE mounts, as a solution to this class of security issues. Sylabs believes this is an oversimplification of security concerns around the use of containers on shared access systems. Enabling unprivileged user namespaces results in a different set of vulnerabilities becoming potentially exploitable. System administrators must carefully consider the security and usability trade-offs that exist.
Specifically, administrators should be aware that neither FUSE nor user namespaces are without security issues, which may have lower or higher importance to a site depending on the security posture employed. E.g.
Administrators should also be aware that switching to a non-setuid approach, where users have access to unprivileged user namespaces, can impact other aspects of security negatively. E.g.
  • Singularity’s execution control list, that limits container execution to specifically signed containers, cannot be enforced.
  • Encrypted SIF containers can no longer be utilized.
Additionally, there are behavior limitations in non-setuid mode that, without care, may result in users arranging data on the host system in ways that are less secure, in order to continue to work with it in containers:

Summary

Sylabs does not consider CVE-2023-30549 to be a vulnerability in Singularity. Systems should be patched regularly to ensure they are not susceptible to vulnerabilities such as CVE-2022-1184.

For users who are unable to patch against vulnerabilities such as CVE-2022-1184, disabling extfs mounts in setuid mode may be a valid defense-in-depth strategy, and will be supported in the next releases of SingularityCE and SingularityPRO.
The security of container runtimes on shared systems is a complex area. Different approaches have various security and usability trade-offs. Depending on the security posture of a site, either setuid or non-setuid mode may be most appropriate.
Stability of existing workflows remains a strong focus with SingularityCE / PRO. We are committed to ensuring that users understand the security and usability complexities and trade-offs of different container runtime approaches. If you have questions about the best approach for your environment, please contact us.

Join Our Mailing List

Related Posts

OCI Basics using Singularity Enterprise Registry

Overview Singularity Enterprise comes with a fully compliant Open Container Initiative (OCI) registry. The following is a collection of typical registry operations within your workflow. Assuming the Singularity Enterprise registry address is registry.sylabs.io, please...

read more