CVE-2021-32635 : What You Need to Know

A vulnerability in Singularity versions 3.7.2 and 3.7.3 allows attackers to execute malicious containers by abusing the default remote endpoint behavior. Only action commands against

library://

URIs are affected, with a CVSS base score of 6.3.

Understanding CVE-2021-32635

In versions 3.7.2 and 3.7.3 of Singularity, attackers can exploit a flaw in how action commands interact with

library://

URIs, potentially leading to the execution of malicious containers.

What is CVE-2021-32635?

Singularity, an open-source container platform, is vulnerable to an issue where action commands ignore the configured remote endpoint when interacting with

library://

URIs. This behavior could allow an attacker to trick users into executing malicious containers from the default remote endpoint.

The Impact of CVE-2021-32635

With a CVSS base score of 6.3, this vulnerability poses a medium severity risk. Attackers can push malicious containers to the default remote endpoint, potentially leading to unauthorized code execution.

Technical Details of CVE-2021-32635

The vulnerability arises from action commands (

run

/

shell

/

exec

) not respecting the configured remote endpoint for

library://

URIs. The issue is patched in version 3.7.4 of Singularity.

Vulnerability Description

Action commands against

library://

URIs can be manipulated to retrieve containers from the default remote endpoint, enabling the execution of malicious containers.

Affected Systems and Versions

Singularity versions 3.7.2 and 3.7.3 are impacted by this vulnerability, while version 3.7.4 includes the necessary patch.

Exploitation Mechanism

Attackers can abuse the incorrect use of default URLs to trick users into running malicious containers from the default remote endpoint.

Mitigation and Prevention

Users are advised to update to Singularity version 3.7.4 to mitigate the risk of exploitation. Additionally, implementing execution control lists can restrict execution to secure containers.

Immediate Steps to Take

Update Singularity to version 3.7.4 and avoid interacting with

library://

URIs from untrusted sources.

Long-Term Security Practices

Enforce strict container signing practices and limit interactions with default remote endpoints to enhance security posture.

Patching and Updates

Regularly check for security updates from Singularity and apply patches promptly to address known vulnerabilities.