CVE-2021-33622
📋 TL;DR
CVE-2021-33622 is a critical vulnerability in Sylabs Singularity container software where incorrect return value checking allows attackers to bypass security controls. This affects Singularity 3.5.x, 3.6.x, and SingularityPRO before 3.5-8. Attackers could potentially gain elevated privileges or execute arbitrary code on affected systems.
💻 Affected Systems
- Sylabs Singularity
- Sylabs SingularityPRO
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level access, container escape, and complete control over the host system
Likely Case
Privilege escalation allowing attackers to execute arbitrary code within containers and potentially escape to the host
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are implemented
🎯 Exploit Status
Exploitation requires ability to run containers on the system; CVSS 9.8 indicates critical severity but no public exploits confirmed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Singularity 3.5.8, 3.6.4, SingularityPRO 3.5-8
Vendor Advisory: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
Restart Required: No
Instructions:
1. Check current version with 'singularity version'. 2. Update using package manager: 'sudo apt update && sudo apt upgrade singularity' (Debian/Ubuntu) or 'sudo yum update singularity' (RHEL/CentOS). 3. Verify update with 'singularity version'.
🔧 Temporary Workarounds
Restrict container execution
linuxLimit who can run containers and what containers can be executed
sudo chmod 750 /usr/bin/singularity
sudo setfacl -m u:trusted_user:rx /usr/bin/singularity
Network isolation
linuxIsolate Singularity hosts from sensitive networks
iptables -A INPUT -p tcp --dport 2375 -j DROP
iptables -A OUTPUT -d sensitive_network -j DROP
🧯 If You Can't Patch
- Implement strict access controls to limit who can execute containers
- Deploy network segmentation to isolate Singularity hosts from critical systems
🔍 How to Verify
Check if Vulnerable:
Run 'singularity version' and check if output matches vulnerable versions (3.5.0-3.5.7, 3.6.0-3.6.3, or SingularityPRO < 3.5-8)Check Version:
singularity versionVerify Fix Applied:
Run 'singularity version' and confirm version is 3.5.8+, 3.6.4+, or SingularityPRO 3.5-8+📡 Detection & Monitoring
Log Indicators:
- Unusual container execution patterns
- Failed privilege checks in system logs
- Unexpected process spawning from singularity
Network Indicators:
- Unexpected outbound connections from container hosts
- Network traffic to/from unusual container registries
SIEM Query:
source="singularity.log" AND ("permission denied" OR "security violation" OR "unauthorized")