The eviction manager of kubelet does not track the ephemeral storage consumed by the /etc/hosts file that is mounted to pods on a node. In this case, a malicious pod that is mounted with the /etc/hosts file may exhaust the storage resource of the node by writing data into this file. As a result, the result stops responding to requests. This topic describes the impacts of CVE-2020-8557, the affected kubelet versions, and the suggested solutions for prevention and mitigation.

Impact scope

CVE-2020-8557 is discovered in the following kubelet versions:
  • kubelet 1.18.0 to 1.18.5
  • kubelet 1.17.0 to 1.17.9
  • kubelet versions earlier than V1.16.13

Impacts

The eviction manager of kubelet does not track the ephemeral storage consumed by the /etc/hosts file that is mounted to pods on a node. In this case, a malicious pod that is mounted with the /etc/hosts file may exhaust the storage resource of the node by writing data into this file. As a result, the node stops responding to requests. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 5.5. This indicates that CVE-2020-8557 is a medium-severity vulnerability.

A pod with the following configurations can write data into the /etc/hosts file:
  • A pod with the CAP_DAC_OVERRIDE Linux capability (authorized by default).
  • A pod that is launched by a root user (with UID 0) or a pod where the allowPrivilegeEscalation field in the security context settings is set to true> (the default value is true).

Prevention and mitigation

We recommend that you perform the following steps:
  • Remove the CAP_DAC_OVERRIDE Linux capability from pods by using pod security policies or other admission control mechanisms. For more information, see Use pod security policies.
  • Forbid root users to launch pods. You can perform this task by using pod security policies or other admission control mechanisms, or by setting the allowPrivilegeEscalation field as to . For more information, see Use pod security policies.
  • Monitor the size of /etc/hosts file. For example, you can enable tamper protection in the Security Center console. For more information, seeEnable tamper protection .
  • You can run the following command on a node to find pods with an abnormally-sized etc-hosts file.
    find /var/lib/kubelet/pods/*/etc-hosts -size +1M