The eviction manager of kubelet does not track the ephemeral storage consumed by the /etc/hosts file that is mounted to pods on a node. In this case, a malicious pod that is mounted with the /etc/hosts file may exhaust the storage resource of the node by writing data into this file. As a result, the result stops responding to requests. This topic describes the impacts of CVE-2020-8557, the affected kubelet versions, and the suggested solutions for prevention and mitigation.
Impact scope
- kubelet v1.18.0~v1.18.5
- kubelet v1.17.0~v1.17.9
- kubelet<v1.16.13
Impacts
The eviction manager of kubelet does not track the ephemeral storage consumed by the /etc/hosts file that is mounted to pods on a node. In this case, a malicious pod that is mounted with the /etc/hosts file may exhaust the storage resource of the node by writing data into this file. As a result, the node stops responding to requests. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 5.5. This indicates that CVE-2020-8557 is a medium-severity vulnerability.
- A pod with the CAP_DAC_OVERRIDE Linux capability (authorized by default).
- A pod that is launched by a root user (with UID 0) or a pod where the allowPrivilegeEscalation field in the security context settings is set to true (the default value is true).
Prevention and mitigation
- Remove the CAP_DAC_OVERRIDE Linux capability from pods by using pod security policies or other admission control mechanisms. For more information, see [Deprecated] Use pod security policies.
- Forbid root users to launch pods. You can perform this task by using pod security policies or other admission control mechanisms, or by setting allowPrivilegeEscalation to false. For more information, see [Deprecated] Use pod security policies.
- Monitor the size of the /etc/hosts file. For example, you can enable tamper protection in the Security Center console. For more information, see Use the feature of web tamper proofing.
- You can run the following command on a node to find pods with an abnormally-sized etc-hosts file:
find /var/lib/kubelet/pods/*/etc-hosts -size +1M