CVE-2020-8557

Kubernetes node disk Denial of Service by writing to container /etc/hosts

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

El componente kubelet de Kubenetes versiones 1.1-1.16.12, 1.17.0-1.17.8 y 1.18.0-1.18.5, no cuenta para el uso del disco por parte de un pod que escribe en su propio archivo /etc/hosts. El archivo /etc/hosts montado en un pod para kubelet no esta incluido para el administrador de desalojo de kubelet al calcular el uso de almacenamiento efímero por un pod. Si un pod escribe una gran cantidad de datos en el archivo /etc/hosts, podría llenar el espacio de almacenamiento del nodo y hacer que el nodo presente un fallo

A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.

*Credits: Kebe Liu of DaoCloud

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-02-03 CVE Reserved
2020-07-23 CVE Published
2023-03-08 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (5)

URL	Tag	Source
https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ	Mailing List
https://security.netapp.com/advisory/ntap-20200821-0002	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/kubernetes/kubernetes/issues/93032	2023-01-27

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-8557	2021-10-28
https://bugzilla.redhat.com/show_bug.cgi?id=1835977	2021-10-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				< 1.16.13 Search vendor "Kubernetes" for product "Kubernetes" and version " < 1.16.13"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.17.0 < 1.17.9 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.17.0 < 1.17.9"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.18.0 < 1.18.6 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.18.0 < 1.18.6"		-		Affected