7.5

CVSS Score

Basic Information

CVE ID

CVE-2020-13846

GHSA ID

GHSA-6w7g-p4jh-rf92

EPSS Score

CWE

Published

12/20/2021

Updated

1/20/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-13846

CVE-2020-13846:
"Verify All" Returns Success Despite Validation Failures in Singularity

Impact

The --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified.

The SIF objects that are not verified are reported in WARNING log messages, but a Container Verified message and exit code of 0 are returned.

Workflows that verify a container using --all / -a and use the exit code as an indicator of success are vulnerable to running SIF containers that have unsigned, or modified, objects that may be exploited to introduce malicious behavior.

$ singularity verify -a image.sif 
WARNING: Missing signature for SIF descriptor 2 (JSON.Generic)
WARNING: Missing signature for SIF descriptor 3 (FS)
Container is signed by 1 key(s):

Verifying partition: Def.FILE:
12045C8C0B1004D058DE4BEDA20C27EE7FF7BA84
[LOCAL]   Unit Test <unit@test.com>
[OK]      Data integrity verified

INFO:    Container verified: image.sif

$ echo $?
0

Patches

Singularity 3.6.0 has a new implementation of sign/verify that fixes this issue.

All users are advised to upgrade to 3.6.0. Note that Singularity 3.6.0 uses a new signature format that is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.

Version 3.6.0 includes a --legacy-insecure flag for the singularity verify command, that will perform verification of the older, and insecure, legacy signatures for compatibility with existing containers. This does not guarantee that containers have not been modified since signing, due to other issues in the legacy signature format.

Workarounds

If you are unable to update to 3.6.0 ensure that you do not rely on the return code of singularity verify --all / -a as an indicator of trust in a container.

Note that other issues in the sign/verify implementation in Singularity < 3.6.0 allow additional means to introduce malicious behavior to a signed container.

For more information

General questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:

Any sensitive security concerns should be directed to: security@sylabs.io

See our Security Policy here: https://sylabs.io/security-policy

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2020-13846

GHSA ID

GHSA-6w7g-p4jh-rf92

EPSS Score

CWE

Published

12/20/2021

Updated

1/20/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/sylabs/singularity	go	>= 3.5.0, < 3.6.0	3.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the 'verify --all' implementation returning success (exit code 0) despite partial validation failures. This indicates: 1) The main verify command handler (in verify.go) fails to aggregate validation errors properly when multiple descriptors are checked. 2) The signature verification logic (in sypgp/verify.go) may not surface all failure states when operating in 'all' mode. The high confidence for the first function comes from the direct correlation between the CLI behavior and exit code handling. The medium confidence for the second function is based on the requirement for descriptor-level validation to influence the final result, though exact implementation details aren't visible in provided materials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** `--*ll / -*` option to `sin*ul*rity v*ri*y` r*turns su***ss *v*n w**n som* o*j**ts in * SI* *ont*in*r *r* not si*n**, or **nnot ** v*ri*i**. T** SI* o*j**ts t**t *r* not v*ri*i** *r* r*port** in `W*RNIN*` lo* m*ss***s, *ut * `*ont*in

Reasoning

T** vuln*r**ility st*ms *rom t** 'v*ri*y --*ll' impl*m*nt*tion r*turnin* su***ss (*xit *o** *) **spit* p*rti*l v*li**tion **ilur*s. T*is in*i**t*s: *) T** m*in v*ri*y *omm*n* **n*l*r (in v*ri*y.*o) **ils to ***r***t* v*li**tion *rrors prop*rly w**n m

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-13846: "Verify All" Returns Success Despite Validation Failures in Singularity

Impact

Patches

Workarounds

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-13846:
"Verify All" Returns Success Despite Validation Failures in Singularity

Vulnerability Intelligence
Miggo AI