Skip to content

CVE-2020-8557: Node disk DOS by writing to container /etc/hosts #93032

New issue
New issue
Closed
Closed
CVE-2020-8557: Node disk DOS by writing to container /etc/hosts#93032
Labels
area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/nodeCategorizes an issue or PR as relevant to SIG Node.
@joelsmith

Description

@joelsmith
joelsmith
opened on Jul 13, 2020

CVSS Rating: Medium (5.5)  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M

The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Am I vulnerable?

Any clusters allowing pods with sufficient privileges to write to their own /etc/hosts files are affected. This includes containers running with CAP_DAC_OVERRIDE in their capabilities bounding set (true by default) and either UID 0 (root) or a security context with allowPrivilegeEscalation: true (true by default).

Affected Versions

  • kubelet v1.18.0-1.18.5
  • kubelet v1.17.0-1.17.8
  • kubelet < v1.16.13

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by using PodSecurityPolicies or other admission webhooks to force containers to drop CAP_DAC_OVERRIDE or to prohibit privilege escalation and running as root, but these measures may break existing workloads that rely upon these privileges to function properly.

Fixed Versions

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Large pod etc-hosts files may indicate that a pod is attempting to perform a Denial of Service attack using this bug. A command such as

find /var/lib/kubelet/pods/*/etc-hosts -size +1M

run on a node can be used to find abnormally large pod etc-hosts files.

Acknowledgements

This vulnerability was reported by Kebe Liu of DaoCloud, via the Kubernetes bug bounty program.

/area security
/kind bug
/committee product-security
/sig node
/area kubelet

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/kubeletarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/nodeCategorizes an issue or PR as relevant to SIG Node.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions