Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/apptainer/apptainer: GHSA-j4rf-7357-f4cg #1738

Closed
GoVulnBot opened this issue Apr 25, 2023 · 4 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-j4rf-7357-f4cg, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/apptainer/apptainer 1.1.8 < 1.1.8

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/apptainer/apptainer
    versions:
      - fixed: 1.1.8
    packages:
      - package: github.com/apptainer/apptainer
summary: Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer
    and Singularity
description: "### Impact\nThere is an ext4 use-after-free flaw described in CVE-2022-1184
    that is exploitable through versions of Apptainer < 1.1.0, installations that
    include apptainer-suid < 1.1.8, and all versions of Singularity in their default
    configurations on older operating systems where that CVE has not been patched.
    \ That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10
    package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal.  Use-after-free
    flaws in the kernel can be used to attack the kernel for denial of service and
    potentially for privilege escalation.\n\n### Background\nHistorically there have
    been many CVEs published for extfs and a smaller number for squashfs, including
    serious use-after-free and buffer overrun vulnerabilities, that are scored as
    \"Moderate\" or \"Low\" impact only because unprivileged users were assumed to
    not have write access to the raw data.  Because of those ratings, vendors treat
    such CVEs as low urgency and either delay a patch until their next major release
    or never patch older but still supported operating systems at all.  Many Linux
    distributions automatically mount user-writable USB-drive volumes, but those are
    considered low risk because they require physical access to the machine.  However,
    since setuid-root installations of Apptainer and Singularity by default allow
    all users to mount any extfs (specifically, ext3, which is implemented by the
    ext4 driver) and squashfs filesystem using kernel drivers even though the users
    have write access to the raw data, the setuid-root installations raise the severity
    of such unpatched CVEs.  \n\nCVE-2022-1184 is currently such an unpatched CVE,
    at least on the above listed operating systems.  The descriptions from the operating
    system vendors about the CVE (referenced below) are incomplete, saying only that
    it allows a local attacker with user privilege to cause a denial of service.  Normally
    users would not be able to cause it because they cannot modify the filesystem
    image, and normally vulnerabilities that involve kernel memory corruption by unprivileged
    users are considered high severity even when there is not yet a known privilege
    escalation because someone with sufficient kernel knowledge can usually turn such
    a corruption into a privilege escalation. \n\nRed Hat did not list RHEL7 as vulnerable,
    but they also did not list it as unaffected, and testing confirmed that a filesystem
    image could be corrupted to get past the check inserted into the filesystem driver
    to fix the vulnerability (patches linked below).\n\nAll published squashfs CVEs
    have been patched in currently supported major operating systems.\n\n### Patches\nApptainer
    1.1.8 includes a patch that by default disables mounting of extfs filesystem types
    in setuid-root mode, while continuing to allow mounting of extfs filesystems in
    non-setuid \"rootless\" mode using fuse2fs.\n\n### Workarounds\nThese workarounds
    are possible:\n1. Either do not install apptainer-suid (for versions 1.1.0 through
    1.1.7) or set `allow setuid = no` in apptainer.conf (or singularity.conf for singularity
    versions).  This requires having unprivileged user namespaces enabled and except
    for apptainer 1.1.x versions will disallow mounting of sif files, extfs files,
    and squashfs files in addition to other, less significant impacts.  (Encrypted
    sif files are also not supported unprivileged in apptainer 1.1.x.)\n2. Alternatively,
    use the `limit containers` options in apptainer.conf/singularity.conf to limit
    sif files to trusted users, groups, and/or paths.  (The option `allow container
    extfs = no` disallows mounting extfs overlay files but does not disallow mounting
    of extfs overlay partitions inside SIF files, so it does not help work around
    the problem.)"
cves:
  - CVE-2023-30549
ghsas:
  - GHSA-j4rf-7357-f4cg
references:
  - advisory: https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
  - web: https://nvd.nist.gov/vuln/detail/CVE-2022-1184
  - fix: https://github.com/torvalds/linux/commit/61a1d87a324ad5e3ed27c6699dfc93218fcf3201
  - fix: https://github.com/torvalds/linux/commit/65f8ea4cd57dbd46ea13b41dc8bac03176b04233
  - web: https://access.redhat.com/security/cve/cve-2022-1184
  - web: https://security-tracker.debian.org/tracker/CVE-2022-1184
  - web: https://ubuntu.com/security/CVE-2022-1184
  - advisory: https://github.com/advisories/GHSA-j4rf-7357-f4cg

@zpavlinovic
Copy link
Contributor

Vuln in binary. Also, fix is in the packages not imported by anyone.

@zpavlinovic zpavlinovic self-assigned this Apr 26, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Apr 26, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
  - data/reports/GO-2023-1700.yaml
  - data/reports/GO-2023-1701.yaml
  - data/reports/GO-2023-1707.yaml
  - data/reports/GO-2023-1708.yaml
  - data/reports/GO-2023-1716.yaml
  - data/reports/GO-2023-1718.yaml
  - data/reports/GO-2023-1719.yaml
  - data/reports/GO-2023-1721.yaml
  - data/reports/GO-2023-1723.yaml
  - data/reports/GO-2023-1730.yaml
  - data/reports/GO-2023-1735.yaml
  - data/reports/GO-2023-1738.yaml
  - data/reports/GO-2023-1747.yaml
  - data/reports/GO-2023-1754.yaml
  - data/reports/GO-2023-1758.yaml
  - data/reports/GO-2023-1761.yaml
  - data/reports/GO-2023-1763.yaml
  - data/reports/GO-2023-1764.yaml
  - data/reports/GO-2023-1768.yaml
  - data/reports/GO-2023-1774.yaml

Updates #1700
Updates #1701
Updates #1707
Updates #1708
Updates #1716
Updates #1718
Updates #1719
Updates #1721
Updates #1723
Updates #1730
Updates #1735
Updates #1738
Updates #1747
Updates #1754
Updates #1758
Updates #1761
Updates #1763
Updates #1764
Updates #1768
Updates #1774

Change-Id: I3fc567427d68e095cc62ea48dc9b284b2414a372
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606785
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants