Vulnerability Description and Impact
A new, Kubernetes node related, security issue was discovered in Kubernetes and disclosed on July 15, 2020 as CVE-2020-8557.
This vulnerability received a CVSS rating of 5.5 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M.
The Kubernetes node agent, kubelet, has the ability to evict pods based on the resource utilization (CPU, memory, storage) of pods running on this node and the resource limits and the resource quotas policies that govern those resources.
In the event where Kubelet’s resource accounting mechanism fails to track correctly the actual resource consumption of pods - a malicious pod can render that Kubernetes node into a completely dysfunctional state. Specifically in this CVE by inducing a disk-space based resource shortage. Kubelet itself would be unable to infer from the system state the failure conditions and properly react to reconcile the system state into a healthy one.
For example, Kubelet may evict other Pods than the offending one, or may flag the Kubernetes scheduler that it is healthy to accept additional running pods.
For this specific vulnerability, if a pod is allowed to mount or modify /etc/hosts, that pod would be able to inflate ephemeral storage utilization without kubelet’s ability to correctly account for the storage usage and cause the node to fail.
Interestingly enough, it appears that a variant of this storage based DoS can be exploited by pods that have emptyDir volumes attached to them or even pods that can write to local file system large files, deletes them, but leaves the file handles open - this variant is by far easier to exploit based on the prerequisites required to mount such exploit.
Are You Vulnerable?
Clusters running pods with sufficient privileges to write to their own /etc/hosts files are affected.
This includes the following:
- Containers running with CAP_DAC_OVERRIDE in their capabilities which is the default behavior
- Containers running as root (UID 0)
- Containers running with security context that have the flag allowPrivilegeEscalation set to true - which is the default behavior
- kubelet v1.18.0-1.18.5
- kubelet v1.17.0-1.17.8
- kubelet < v1.16.13
Medium (5.5) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:H/IR:H/AR:M.
Automatic Detection of Vulnerable Clusters with Alcide Advisor
Alcide Advisor is our tailor-made Kubernetes security configuration and hygiene scanner, as well as multi-cluster kubernetes CVE scanner. Alcide Advisor covers rich Kubernetes and Istio security best practices, compliance checks, identifying misplaced secrets, excessive RBAC secrets access, and many more security configuration checks.
Specifically for CVE-2020-8557, with Alcide Advisor users can:
- Identify the vulnerable clusters for this vulnerability (as well as other CVEs)
- Identify and explicitly allow/deny which Pods can run with elevated privileges that enables CAP_DAC_OVERRIDE
- Identify and explicitly allow/deny which Pods can run on the host network.
- In applicable environments, Identify Pods that can run on master nodes that can potentially exploit the Kubernetes API Server.
Kubernetes, like any software, has bugs and vulnerabilities. The recent disclosures signal that more and more security researchers are digging deeper to surface those security bugs.
While there is a consensus behind the use of Kubernetes as the de-facto cloud native application operating system - running Kubernetes based infrastructure requires operators to monitor and secure all the moving parts, whether these are the application workloads or the platform and infrastructure components.
Alcide Advisor can identify vulnerable clusters and understand the risk surface associated with CVE-2020-8557, flag the deployment (Pods) that bear the prerequisites to initiate such an attack and even have in place well managed policies that can ensure Pods are denied access to the cluster if their configuration violate those prerequisites a successful CVE-2020-8557 exploit demands. Try Alcide Advisor now.