Detect CVE-2020-8557 using Falco

By Kaizhe Huang - JULY 16, 2020

SHARE:

A new vulnerability, CVE-2020-8557, has been detected in kubelet. It can be exploited by writing into /etc/hosts to cause a denial of service (DoS).

The source of the issue is that the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager, so it’s not taken into account when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail, which acts as a DoS attack.

Severity: Medium.

Affected Kubernetes versions:

  • kubelet v1.18.0-1.18.5
  • kubelet v1.17.0-1.17.8
  • kubelet < v1.16.13
CVE-2020-8557 affects Kubelet and can be exploited to cause a DoS attack. Discover how easy is to detect this vulnerability with @Falco_org Click to tweet

Detecting CVE-2020-8557 with Falco

CVE-2020-8557 is due to the fact that the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager. Often, when incompressible compute resource consumption, like memory and disk, hit the eviction threshold, the kubelet eviction manager will start evicting pods in order to preserve the availability of both the worker node and the other pods running on the node.

Meanwhile, /etc/hosts is also an important file to the system. As your machine gets started, it will need to know the mapping of some hostnames to IP addresses before DNS can be referenced. This mapping is kept in the /etc/hosts file. In the absence of a name server, any network program on your system consults this file to determine the IP address that corresponds to a host name.

Detecting exploitation attempts of CVE-2020-8557 is critical.

Falco is the CNCF open source project for runtime threat detection for containers and Kubernetes. You can use Falco to detect malicious activity both at the host and at the container level. Falco will generate security events when it finds abnormal behaviors, which are defined by a customizable set of rules.

One of the benefits of Falco is in leveraging its powerful and flexible rules language. Meanwhile, Falco comes with a handful of out-of-box detection rules. Let’s see how we can detect when someone is trying to exploit CVE 2020-8557.

Detect file write below etc folder

In the Falco out-of-box rules, there is one particular rule to detect any modification under /etc folder, which includes /etc/hosts file. 

- rule: Write below etc
  desc: an attempt to write to any file below /etc
  condition: write_etc_common
  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

Or you could use a particular rule for CVE-2020-8557: 

- rule: Detect Write Below /etc/hosts
  desc: an attempt to write to /etc/hosts file (CVE-2020-8557)
  condition: open_write and container and fd.name=/etc/hosts
  output: "File /etc/hosts opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

When there is file write activity happen on the /etc/host file, the Falco rule above will be triggered and the output would be like the following: 

File /etc/hosts opened for writing (user=root command=bash parent=bash pcmdline=bash file=/etc/hosts program=bash gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=384fc3447d54 image=kaizheh/nginx)

And when you check the file size on the worker node, you will find the following: 

root@ip-172-20-48-137:/home/admin# find /var/lib/kubelet/pods/*/etc-hosts -size +1M
/var/lib/kubelet/pods/a8e75db1-b0cf-487a-ab5c-8041d33824f1/etc-hosts

The size of the /etc/hosts file on the worker node is greater than 1M.

Mitigation Strategy for CVE-2020-8557

As the CVE-2020-8557 vulnerability is targeted at /etc/hosts file, a specific mitigation strategy is to apply the following AppArmor profile to your running containers: 

#include <tunables/global>
profile cve-2020-8557 flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  # accessing to network resources are subject to change per container
  network inet tcp,
  network inet udp,
  network inet icmp,
  deny network raw,
  deny network packet,
  file,
  Umount,
  # deny writes to /etc/hosts file
  deny /etc/hosts wl,
  # capabilities are subject to changes per container
  capability chown,
  capability dac_override,
  capability setuid,
  capability setgid,
}

The preceding AppArmor profile allows most of the activities from a container, but denies writing to /etc/hosts file.

Conclusion

It’s important to apply the mitigation strategy for CVE-2020-8557 prior to upgrading Kubernetes. In addition to preventing the vulnerability from being exploited, it is also important to detect or monitor any file write on the /etc/hosts file.

Check out Falco and Sysdig Secure for more information to help mitigate the vulnerability.

Subscribe and get the latest updates