This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 71%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENY%3C/text%3E%3C/svg%3E)
We find a docker security issue to exhaust unprivilege user’s persudo-terminals in Linux Kernel and causing DoS attack in the Azure AKS environment.
Reproduction steps:
1.Follow the AKS tutorial to set up AKS clusters. We use one Virtual Machine with 8G memory, 120G SSD Disk, linux 5.4.0-1043-azure OS, Kubernetes Version V1.18.14 and Docker Version 19.3.14, to set the Azure Kubernetes Cluster. All those settings are done through by Azure Kubernetes UI.
2.Deploy the docker unprivileged malicious container with UID 1000, dropping all capabilities, using limited memory 2G, running on special core and disable privilege escalation. We run malicious container in a separate Kubernetes Namespace.
3.Inside the malicious container, we start four processes and make syscall open(/dev/ptmx) repeatedly. In total, around 3072 number of persudo-terminals are consumed and there are no available persudo-termainals can be used by other unprivilege user.
Is there any way to defend against this attack inside Azure AKS environment? Looking forward to your reply!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
I am currently investigating and will get back to you soon.
@KarishmaTiwari-MSFT Hello Karishmatiwari! I submitted my concern about the Azure AKS environment about two months ago, is there any new developments on this issue? Is it a real issue that exists in the Azure AKS environment? Looking forward to your reply!
@KarishmaTiwari-MSFT Hello Karishmatiwari! I have sent an email to Azure Community as you asked, but I have got no response. Have you received my email? Are there any new developments on these issues? Looking forward to your reply!