OpenSUSE Linux update for singularity
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-13845 CVE-2020-13846 CVE-2020-13847 |
| CWE-ID | CWE-347 CWE-20 CWE-354 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU31716
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-13845
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the image integrity is not validated when an ECL policy is enforced. A remote attacker can bypass implemented security restrictions.
MitigationUpdate the affected packages.
SUSE Linux: 15
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU31717
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-13846
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due the affected software fails to report an error in a Status Code. A remote attacker can run arbitrary SIF containers that have unsigned, or modified, objects.
MitigationUpdate the affected packages.
SUSE Linux: 15
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper validation of integrity check value
EUVDB-ID: #VU31718
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-13847
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. A remote attacker can cause unexpected behavior.
MitigationUpdate the affected packages.
SUSE Linux: 15
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
