CVE-2020-28914 : Exploit Details and Defense Strategies

An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.

Understanding CVE-2020-28914

This CVE involves an improper file permissions vulnerability in Kata Containers.

What is CVE-2020-28914?

CVE-2020-28914 is a vulnerability in Kata Containers that allows a malicious guest to modify or delete supposedly read-only files/directories.

The Impact of CVE-2020-28914

The vulnerability can lead to a container breakout scenario where unauthorized modifications or deletions of files/directories can occur.

Technical Details of CVE-2020-28914

This section provides technical details of the vulnerability.

Vulnerability Description

The vulnerability in Kata Containers prior to 1.11.5 allows files/directories mounted as readOnly inside a container to remain writable inside the guest.

Affected Systems and Versions

Systems using Kata Containers prior to version 1.11.5

Exploitation Mechanism

Malicious guests can exploit the vulnerability by modifying or deleting supposedly read-only files/directories.

Mitigation and Prevention

Protecting systems from CVE-2020-28914 is crucial to maintaining security.

Immediate Steps to Take

Update Kata Containers to version 1.11.5 or later.
Monitor and restrict guest access to prevent unauthorized modifications.

Long-Term Security Practices

Regularly audit file permissions and access controls.
Implement container security best practices to prevent breakout scenarios.

Patching and Updates

Apply patches and updates provided by Kata Containers to address the vulnerability.