Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8557: Node disk DOS by writing to container /etc/hosts #93032

Closed
joelsmith opened this issue Jul 13, 2020 · 3 comments
Closed

CVE-2020-8557: Node disk DOS by writing to container /etc/hosts #93032

joelsmith opened this issue Jul 13, 2020 · 3 comments
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@joelsmith
Copy link
Contributor

joelsmith commented Jul 13, 2020
edited

CVSS Rating: Medium (5.5)  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M

The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Am I vulnerable?

Any clusters allowing pods with sufficient privileges to write to their own /etc/hosts files are affected. This includes containers running with CAP_DAC_OVERRIDE in their capabilities bounding set (true by default) and either UID 0 (root) or a security context with allowPrivilegeEscalation: true (true by default).

Affected Versions

  • kubelet v1.18.0-1.18.5
  • kubelet v1.17.0-1.17.8
  • kubelet < v1.16.13

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by using PodSecurityPolicies or other admission webhooks to force containers to drop CAP_DAC_OVERRIDE or to prohibit privilege escalation and running as root, but these measures may break existing workloads that rely upon these privileges to function properly.

Fixed Versions

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Large pod etc-hosts files may indicate that a pod is attempting to perform a Denial of Service attack using this bug. A command such as

find /var/lib/kubelet/pods/*/etc-hosts -size +1M

run on a node can be used to find abnormally large pod etc-hosts files.

Acknowledgements

This vulnerability was reported by Kebe Liu of DaoCloud, via the Kubernetes bug bounty program.

/area security
/kind bug
/committee product-security
/sig node
/area kubelet
@joelsmith joelsmith added the kind/bug Categorizes issue or PR as related to a bug. label Jul 13, 2020
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/node Categorizes an issue or PR as relevant to SIG Node. area/kubelet and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 13, 2020
@joelsmith joelsmith changed the title Placeholder issue CVE-2020-8557: Node disk DOS by writing to container /etc/hosts Jul 15, 2020
@joelsmith joelsmith mentioned this issue Jul 15, 2020
Closed
@aermakov-zalando
Copy link

aermakov-zalando commented Jul 15, 2020
edited

If this is a security issue, should I re-report #83107 as one as well? It's allows the same thing (silently consuming arbitrary disk space on the node), but you don't even need /etc/hosts to be writable, any directory would do.

@joelsmith
Copy link
Contributor Author

@aermakov-zalando please direct security disclosures or questions about security disclosures to one of the methods outlined here: https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability

@knisbet knisbet mentioned this issue Jul 15, 2020
Closed
@palma21 palma21 mentioned this issue Jul 17, 2020
Closed
@Ebaneck Ebaneck mentioned this issue Jul 22, 2020
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 16, 2021
Open
1 task
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@mend-for-github-com mend-for-github-com bot mentioned this issue May 9, 2022
Open
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joelsmith @PushkarJ @k8s-ci-robot @aermakov-zalando