Skip to content

Latest commit

 

History

History
68 lines (49 loc) · 2.45 KB

KCSA-CVE-2020-2024.md

File metadata and controls

68 lines (49 loc) · 2.45 KB

announcement-date: 2020-05-28

id: KCSA-CVE-2020-2024

title: Kata Containers improper link resolution vulnerability

description: An improper link resolution vulnerability affects Kata Containers versions prior to 1.11.0. Upon container teardown, a malicious guest can trick the kata-runtime into unmount any mount point on the host and all mount points underneath it, potentiality resulting in a host DoS.

affected-components:

  • components: kata-runtime version: Before v1.11.0

vulnerabilities:

  • CVE-ID: CVE-2020-2024

reporters:

  • name: Yuval Avrahami affiliation: Palo Alto Networks reported:
    • CVE-2020-2024

issues:

links: - kata-containers/runtime#2474

reviews:

v1.11.0: - kata-containers/runtime#2475

type: GitHub

reproduce:

  • When Kata Containers is configured with overlay2 as the storage driver, the attack follows the steps below (all actions are executed by the malicious guest):

    1. Rename /run/kata-containers/shared/containers/${ctr-id} to /run/kata-containers/shared/containers/${ctr-id}_original_
    2. Then, recreate /run/kata-containers/shared/containers/${ctr-id}
    3. Create a symlink to the host target mount named /run/kata-containers/shared/containers/${ctr-id}/rootfs

    For devicemapper:

    1. Unmount /run/kata-containers/shared/containers/${ctr-id}
    2. Create a symlink to the host target mount named /run/kata-containers/shared/containers/${ctr-id}/rootfs

notes:

  • The vulnerability can be used to attack the host by malicious containers that find other ways to gain control over the guest. And all users are recommended to upgrade.

    The unmount operation is done with the MNT_DETACH flag, meaning that mount points under the target mount will be unmounted as well. Because of that, if we target ‘/’ in our attack, then the host mounts underneath it (e.g., /proc, /sys, etc.) will be unmounted as well, resulting in the host being non-functional in most scenarios (e.g. being a kubernetes node), creating a Denial of Service.

    On kubernetes, a malicious guest can trigger multiple container deletions by simply killing the container processes running on it. With the default kubernetes restart policy, containers will be removed and recreated. This process can be repeated by the malicious guest several times to control multiple unmount operations on the host.