CRI-O Memory Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the CRI-O application. When a container is launched with the securityContext.runAsUser option set to a non-existent user, CRI-O attempts to create the user by reading the entire /etc/passwd file from the container into memory. If this file is excessively large, it can cause significant memory consumption, leading to applications being terminated due to out-of-memory conditions. This issue can disrupt other pods and services running on the same host.

Impact

Exploitation of this vulnerability can cause high memory usage, leading to applications being killed for exceeding memory limits. This out-of-memory condition can disrupt other pods and services on the same host.

Reproduction

To reproduce this vulnerability, launch a container using CRI-O and specify a user in the securityContext.runAsUser field that does not exist in the container's /etc/passwd file. CRI-O will attempt to create the user by reading the passwd file into memory. If the passwd file is large, this will result in high memory consumption, causing a denial-of-service condition.