Summary
A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files and directories outside of the volume, including on the host filesystem. The vulnerability is caused by a symlink-exchange race condition in kubelet during subpath handling. Environments where cluster administrators have restricted the ability to create hostPath mounts are most seriously affected, because exploitation allows hostPath-like access without use of the hostPath feature, thereby bypassing the restriction.
Impact�
A user who can create or manage Pods with subpath volume mounts may exploit this race condition to read or write files anywhere on the host node's filesystem, regardless of whether hostPath volumes are permitted by policy. The CVSS score of 8.8 reflects the high confidentiality, integrity, and availability impact. In a default Kubernetes environment, exploitation could also be used to obscure misuse of already-granted privileges. Versions affected span the 1.19 through 1.22 release lines.
Detection
Review all running Pods for use of subpath volume mounts, which are the prerequisite configuration for this attack. Audit kubelet logs and API server audit logs for unexpected file access patterns originating from containers. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.
Mitigation
Upgrade kubelet to the patched version for your release line:
- Kubernetes v1.22.2 or later (for the 1.22 line)
- Kubernetes v1.21.5 or later (for the 1.21 line)
- Kubernetes v1.20.11 or later (for the 1.20 line)
- Kubernetes v1.19.15 or later (for the 1.19 line)
If an immediate kubelet upgrade is not possible, disable the VolumeSubpath feature gate on both kubelet and kube-apiserver, and remove any existing Pods that use subpath volume mounts. Additionally, using admission control to prevent less-trusted users from running containers as root reduces the impact of successful exploitation.