The eviction manager of kubelet does not track the ephemeral storage consumed by the /etc/hosts file that is mounted to pods on a node. In this case, a malicious pod that is mounted with the /etc/hosts file may exhaust the storage resource of the node by writing data into this file. As a result, the result stops responding to requests. This topic describes the impacts of CVE-2020-8557, the affected kubelet versions, and the suggested solutions for prevention and mitigation.

Impact scope

CVE-2020-8557 is discovered in the following kubelet versions:
  • kubelet v1.18.0~v1.18.5
  • kubelet v1.17.0~v1.17.9
  • kubelet<v1.16.13

Impacts

The eviction manager of kubelet does not track the ephemeral storage consumed by the /etc/hosts file that is mounted to pods on a node. In this case, a malicious pod that is mounted with the /etc/hosts file may exhaust the storage resource of the node by writing data into this file. As a result, the node stops responding to requests. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 5.5. This indicates that CVE-2020-8557 is a medium-severity vulnerability.

A pod with the following configurations can write data into the /etc/hosts file:
  • A pod with the CAP_DAC_OVERRIDE Linux capability (authorized by default).
  • A pod that is launched by a root user (with UID 0) or a pod where the allowPrivilegeEscalation field in the security context settings is set to true (the default value is true).

Prevention and mitigation

We recommend that you perform the following steps:
  • Remove the CAP_DAC_OVERRIDE Linux capability from pods by using pod security policies or other admission control mechanisms. For more information, see [Deprecated] Use pod security policies.
  • Forbid root users to launch pods. You can perform this task by using pod security policies or other admission control mechanisms, or by setting allowPrivilegeEscalation to false. For more information, see [Deprecated] Use pod security policies.
  • Monitor the size of the /etc/hosts file. For example, you can enable tamper protection in the Security Center console. For more information, see Use the feature of web tamper proofing.
  • You can run the following command on a node to find pods with an abnormally-sized etc-hosts file:
    find /var/lib/kubelet/pods/*/etc-hosts -size +1M