CVE-2020-13845

Name of the Vulnerable Software and Affected Versions Sylabs Singularity versions 3.0 through 3.5

Description The issue concerns improper validation of an integrity check value in Sylabs Singularity. Specifically, image integrity is not validated when an Execution Control List (ECL) policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. This allows a malicious user to bypass the ECL by crafting an arbitrary payload that will be permitted to run, even without access to the private key associated with the fingerprint(s) configured in the ECL.

Recommendations For Sylabs Singularity versions 3.0 through 3.5, upgrade to version 3.6.0 to address the issue. Note that version 3.6.0 uses a new signature format incompatible with earlier versions. To ease the transition, the legacyinsecure option can be set to legacyinsecure = true in ecl.toml to allow verification of older, insecure legacy signatures, but this should only be used temporarily.