Re: Singularity's Linux kernel vulnerability claim

[gremlin () gremlin ru]

On 2018-05-03 17:12:06 +0000, Priedhorsky, Reid wrote:

> Singularity is a container runtime targeting the high-performance
> computing market. It appears to be the sole product of Sylabs,
> Inc. [1] and has both 'community' (open source) and
> 'pro' (closed source) versions.
> Recently, the Singularity team announced on their blog [2],
> following up an earlier mailing list post [3], that they've
> found:
> > an exploit vector to all container runtimes, that allows a
> > malicious user to gain additional privileges within a container on
> > hosts running kernels that do not support the PR_SET_NO_NEW_PRIVS
> > feature

That's normal: the container runtimes (except OpenVZ VPSes) are
designed to be just a resource-limiting solution. Even the (quite
trivial) "undock" exploit (developed for Docker, works everywhere
except OpenVZ) allows escaping the container and getting into the
host system once you have got root access inside of the container.

> No technical details are publically available:
> > Sylabs has not provided details about this exploit because there
> > is no workaround short of upgrading the kernel or uninstalling
> > Singularity. So giving more information will only help malicious
> > parties.
> We understand that details have been offered by Sylabs to at
> least one third party under NDA. This third party declined,
> but others may have accepted.

That's their right. However, publishing the zero-day exploit could
be much more funny...

> Sylabs does not plan to request a CVE (link in original):
> > As of now, Sylabs will not request a CVE for this issue
> > because it only affects old kernels and CVE's associated with
> > PR_SET_NO_NEW_PRIVS have already been provided and resolved [4].
> My questions:
> 1. Does anyone know what is going on with this alleged
> vulnerability?

That's not actually a vulnerability, but just a misuse of kernel
containerization features. Or would you put an elephant in a car
instead of getting a truck?

> 2. Has anything been independently corroborated?
> 3. Would a CVE request be appropriate?

My guess: unlikely.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8

Attachment: _bin
Description: