CVE-2020-15229 – This CVE allows path traversal attacks during s... (How to Fix)

📋 TL;DR

This CVE allows path traversal attacks during squashfs extraction in Singularity container platform. Attackers can overwrite/create arbitrary files on the host filesystem using malicious container images. Affects users running Singularity in unprivileged mode or building images from remote sources.

💻 Affected Systems

Products:

Singularity (now Apptainer)

Versions: 3.1.1 through 3.6.3

Operating Systems: All platforms running Singularity

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable in both unprivileged mode (allow setuid = no) and privileged image building. Remote sources library:// and shub:// are particularly risky.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Root user building images could have arbitrary files overwritten, leading to full system compromise including privilege escalation, backdoor installation, or data destruction.

🟠

Likely Case

Unprivileged users could overwrite files they have write access to, potentially escalating privileges or disrupting system operations.

🟢

If Mitigated

With proper controls, impact limited to isolated container environments with restricted filesystem access.

🌐 Internet-Facing: MEDIUM - Exploitation requires pulling malicious images from remote sources (library:// or shub://), which could be automated.

🏢 Internal Only: HIGH - Internal users with access to Singularity could exploit this to escalate privileges or compromise shared systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to run or build from a malicious container image. The vulnerability is in the unsquashfs extraction process during image handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.4

Vendor Advisory: https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes

Restart Required: No

Instructions:

1. Check current version: singularity version
2. Upgrade to 3.6.4 or later using package manager or source
3. For package install: sudo apt/yum update singularity
4. For source install: git clone, checkout v3.6.4+, make, sudo make install

🔧 Temporary Workarounds

Avoid unprivileged single file images

linux

Use sandbox images instead of single file images in unprivileged mode

singularity build --sandbox image.sandbox docker://alpine

Restrict image build sources

linux

Avoid building images from library:// and shub:// sources

Use local images or docker:// sources instead

🧯 If You Can't Patch

Disable unprivileged mode and require setuid (set allow setuid = yes in singularity.conf)
Use --fakeroot flag for image building or perform builds in isolated VMs

🔍 How to Verify

Check if Vulnerable:

Check if running version 3.1.1 through 3.6.3: singularity version | grep -E '3\.[1-5]\.[0-9]+|3\.6\.[0-3]'

Check Version:

singularity version

Verify Fix Applied:

Confirm version is 3.6.4 or later: singularity version | grep -E '3\.6\.[4-9]|3\.[7-9]\.[0-9]+|[4-9]\.[0-9]+\.[0-9]+'

📡 Detection & Monitoring

Log Indicators:

Failed file overwrite attempts in system logs
Unexpected file modifications during container operations
Singularity processes extracting from library:// or shub:// sources

Network Indicators:

Downloads from library.sylabs.io or Singularity Hub during image operations

SIEM Query:

process.name:"singularity" AND (network.destination:"library.sylabs.io" OR network.destination:"singularity-hub.org")

📊 Metadata

CVE ID: CVE-2020-15229

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

CWE: CWE-22

Published: October 14, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html Broken Link,Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html Broken Link,Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html Broken Link,Mailing List,Third Party Advisory
https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes Release Notes,Third Party Advisory
https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e Patch,Third Party Advisory
https://github.com/hpcng/singularity/pull/5611 Patch,Third Party Advisory
https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html Broken Link,Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html Broken Link,Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html Broken Link,Mailing List,Third Party Advisory
https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes Release Notes,Third Party Advisory
https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e Patch,Third Party Advisory
https://github.com/hpcng/singularity/pull/5611 Patch,Third Party Advisory
https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15229, you might also want to check these: