Kubernetes Security Announcement - Linux Kernel memory cgroups escape via sctp - CVE-2019-3874

cve
security
#1

Hello Kubernetes Community-

A security issue was discovered in the Linux Kernel that affects cgroup memory isolation via the esoteric sctp network transport. The issue is Medium severity and blacklisting the sctp kernel module is encouraged to fix this issue.

How do I mitigate the vulnerability?

Instructions for Linux distributions may vary. But, these instructions should work for most.

Blacklist the sctp module on all hosts:

echo “install sctp /bin/true” > /etc/modprobe.d/sctp.conf

Reboot the host if sctp module is loaded. You can test this with lsmod | grep sctp

Am I vulnerable?

We recommend you blacklist the sctp module first, see mitigation above, before running this test. If the sctp module is inserted a reboot is required to unload the module.

Run modprobe sctp; lsmod | grep sctp and if it says sctp you are potentially vulnerable.

How do I upgrade?

A Kernel patch is under development. However, blacklisting sctp and dccp, esoteric network protocols, is a common security practice and will protect users now and into the future.

Vulnerability Details

When a Pod runs as root it may bypass cgroup memory isolation; creating a potential DoS.

This issue is filed as CVE-2019-3874. See the CVE advisory for more details

Thank you

Thank you to Matteo Croce & Jason Sheperd for the notification.

Thank You,

Brandon on behalf of the Kubernetes Product Security Committee

4 Likes

pinned #2
0 Likes

#3

Hi,

The bypass works even if the container doesn’t run as root.
In OpenShift, a SELinux rule forbids a non root user to create an SCTP socket, hence the statement “To mitigate this issue if not using SELinux, or if a Security Context Constraint allows running pods as the root user the ‘sctp’ module should be blacklisted”.

In any case, I’d not call SCTP an esoteric protocol, since it’s mandatory in the 5G specifications it will be more and more popular.

Regards,
Matteo Croce

0 Likes