Azure Kubernetes Service: Node disk DOS by writing to container /etc/hosts (CVE-2020-8557)

Published date: September 01, 2020

The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Am I vulnerable?

Any clusters allowing pods with sufficient privileges to write to their own /etc/hosts files are affected. This includes containers running with CAP_DAC_OVERRIDE in their capabilities bounding set (true by default) and either UID 0 (root) or a security context with allowPrivilegeEscalation: true (true by default).

Affected ** Upstream ** Versions

kubelet v1.18.0-1.18.5
kubelet v1.17.0-1.17.8
kubelet < v1.16.13

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by using policies to disallow pods to be created with allowPriviledgeEscalation: true for example and prohibit privilege escalation and running as root, but these measures may break existing workloads that rely upon these privileges to function properly.

Learn more about Secure pods with Azure Policy.

Click here for full details, including list of versions affected and mitigation steps.

  • Azure Kubernetes Service (AKS)
  • Security