CVE-2020-8557

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Potential Mitigations

• Mitigation of resource exhaustion attacks requires that the target system either:

• The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

• The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/147.html
• https://cwe.mitre.org/data/definitions/227.html
• https://cwe.mitre.org/data/definitions/492.html

References

• https://github.com/kubernetes/kubernetes/issues/93032
• https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ
• https://security.netapp.com/advisory/ntap-20200821-0002/
• https://github.com/kubernetes/kubernetes/issues/93032
• https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ
• https://security.netapp.com/advisory/ntap-20200821-0002/