CVE-2024-33602: Name Service Cache Daemon’s (nscd) design limitation (6 May 2024)

Preface: Kubernetes creates DNS records for Services and Pods. You can contact Services with consistent DNS names instead of IP addresses. Kubernetes publishes information about Pods and Services which is used to program DNS. Kubelet configures Pods’ DNS so that running containers can lookup Services by name rather than IP.

Background: When nscd enabled, this function allows your Linux computer to retrieve DNS messages locally. Since the Linux operating system have additional function collects the browser cache and DNS cache (instead of waiting for a public DNS resolver). Therefore, your frequently visited sites will load much faster than other sites.

Nscd is a daemon that provides a cache for the most common name service requests. The default configuration file, /etc/nscd[.] conf, determines the behavior of the cache daemon.

DNS domain name resolution in Kubernetes cluster often has problems for various reasons, including kernel problems and load problems. You can use nscd in Kubernetes cluster to improve the lookup efficiency.

Vulnerability details: nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon’s (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

Official announcement: Please refer to the link for details –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.