CVE-2020-8557: Node disk DOS by writing to container /etc/hosts #93032
Labels
area/kubelet
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/node
Categorizes an issue or PR as relevant to SIG Node.
CVSS Rating: Medium (5.5) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M
The
/etc/hosts
file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the/etc/hosts
file, it could fill the storage space of the node and cause the node to fail.Am I vulnerable?
Any clusters allowing pods with sufficient privileges to write to their own
/etc/hosts
files are affected. This includes containers running withCAP_DAC_OVERRIDE
in their capabilities bounding set (true by default) and either UID 0 (root) or a security context withallowPrivilegeEscalation: true
(true by default).Affected Versions
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by using PodSecurityPolicies or other admission webhooks to force containers to drop CAP_DAC_OVERRIDE or to prohibit privilege escalation and running as root, but these measures may break existing workloads that rely upon these privileges to function properly.
Fixed Versions
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Detection
Large pod
etc-hosts
files may indicate that a pod is attempting to perform a Denial of Service attack using this bug. A command such asrun on a node can be used to find abnormally large pod etc-hosts files.
Acknowledgements
This vulnerability was reported by Kebe Liu of DaoCloud, via the Kubernetes bug bounty program.
/area security
/kind bug
/committee product-security
/sig node
/area kubelet
The text was updated successfully, but these errors were encountered: