CVE-2025-64750
📋 TL;DR
This vulnerability in SingularityCE and SingularityPRO container platforms allows attackers to bypass Linux Security Module (LSM) restrictions under specific conditions. Attackers can redirect LSM label write operations by tricking users into running malicious container images that manipulate /proc mounts. This affects users who rely on LSM restrictions for container security.
💻 Affected Systems
- SingularityCE
- SingularityPRO
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of LSM security controls, potentially allowing container escape or privilege escalation if combined with other vulnerabilities.
Likely Case
Partial bypass of LSM restrictions, enabling malicious containers to perform operations that should be blocked by security policies.
If Mitigated
Limited impact if proper container isolation, network segmentation, and least privilege principles are already implemented.
🎯 Exploit Status
Exploitation requires specific conditions: malicious container image, user execution, and control over shared mounts. References to related runc vulnerabilities suggest potential for more sophisticated attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SingularityCE 4.3.5, SingularityPRO 4.1.11 and 4.3.5
Vendor Advisory: https://github.com/advisories/GHSA-fh74-hm69-rqjw
Restart Required: No
Instructions:
1. Update SingularityCE to version 4.3.5 or later. 2. Update SingularityPRO to version 4.1.11 or 4.3.5 or later. 3. Verify the update using 'singularity version' command.
🔧 Temporary Workarounds
Restrict container image sources
linuxOnly run containers from trusted sources and implement image signing verification
singularity verify image.sif
Configure singularity to only pull from trusted registries
Limit shared mount usage
linuxAvoid using shared mounts or restrict which directories can be mounted
Review and modify bind mount configurations in singularity.conf
Use --bind with caution and validate paths
🧯 If You Can't Patch
- Implement strict container image policies - only allow signed images from trusted sources
- Enforce network segmentation to isolate container environments from critical systems
🔍 How to Verify
Check if Vulnerable:
Check Singularity version: 'singularity version' and compare against affected versions (SingularityCE < 4.3.5, SingularityPRO < 4.1.11 and < 4.3.5)Check Version:
singularity versionVerify Fix Applied:
After updating, run 'singularity version' to confirm version is 4.3.5 or later for CE, or 4.1.11/4.3.5 or later for PRO📡 Detection & Monitoring
Log Indicators:
- Unusual /proc mount operations in container logs
- Failed LSM policy enforcement attempts
- Container execution with suspicious bind mount parameters
Network Indicators:
- Unexpected container image pulls from untrusted sources
- Network traffic from containers attempting to access restricted resources
SIEM Query:
Example: 'container_runtime=singularity AND (event="mount" AND path="/proc") OR (event="lsm_denied" AND container_image_source="untrusted")'🔗 References
- https://github.com/advisories/GHSA-fh74-hm69-rqjw
- https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
- https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33
- https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0
- https://github.com/sylabs/singularity/pull/3850
- https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87
