Hi,

In this article I would like share with you a new vulnerability against Azure Kubernetes.

Title: Node disk DOS by writing to container /etc/hosts

CVE: CVE-2020-8557

Description:

The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Any clusters allowing pods with sufficient privileges to write to their own /etc/hosts files are affected. This includes containers running with CAP_DAC_OVERRIDE in their capabilities bounding set (true by default) and either UID 0 (root) or a security context with allowPrivilegeEscalation: true (true by default).

Affected versions:

kubelet v1.18.0-1.18.5
kubelet v1.17.0-1.17.8
kubelet < v1.16.13

Fixed versions:

AKS v1.15.11*, v1.15.12* .
AKS v1.16.10* and v1.16.13+
AKS v1.17.7* and v1.17.9+
AKS v1.18.6+

Maxime.