The containerd community disclosed the GHSA-36xw-fx78-c5r4 vulnerability. The Common Vulnerabilities and Exposures (CVE) identifier of the vulnerability is CVE-2020-15257. If a container shares the same networking namespace with the host and the UID of the container is 0, attackers can use the containerd-shim API to control containerd-shim processes in the host and launch attacks with elevated privileges. This topic describes the impacts, causes, and preventive measures of the vulnerability.
The severity of the CVE-2020-15257 vulnerability is medium and the Common Vulnerability Scoring System (CVSS) score of the vulnerability is 5.2.
Impacts
kubectl get pods -A -o json |
jq -c '.items[] | select(.spec.hostNetwork==true) |[.metadata.namespace, .metadata.name]'
Vulnerability description
- As a runtime of Kubernetes clusters, containerd manages underlying runC containers. containerd includes a daemon and exposes gRPC service interfaces through on-premises UNIX sockets. This way, containerd can manage container lifecycle.
- containerd-shim is a component of containerd. It is used to isolate the daemon of containerd and container processes. You can call runC interfaces through containerd-shim to manage your containers.
Preventive measures
- Enable the Pod Security Policy (PSP) feature. You can set the hostNetwork parameter in a PSP to prevent pods in a specified namespace from using host networking. ACK allows you to configure PSPs in the ACK console. For more information, see Use a PSP.
- Install the gatekeeper component. For more information about the component, see Introduction. For more information about how to install the component, see Example of open policy agent.
hostNetwork: true #Your containers must use host networking due to business requirements.
containers:
- name: foo
securityContext:
runAsUser: 12345
allowPrivilegeEscalation: false