New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Oct 30, 2023NewsroomKubernetes / Server Security

NGINX

Three unpatched high-severity security flaws were disclosed in the NGINX Ingress controller for Kubernetes that can be armed by a threat actor to steal secret credentials from the cluster.

The weaknesses are as follows –

  • CVE-2022-4886 (CVSS score: 8.8) – Ingress-nginx Path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller
  • CVE-2023-5043 (CVSS score: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution
  • CVE-2023-5044 (CVSS score: 7.6) – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation

“These vulnerabilities would allow an attacker to gain control over the configuration of the Ingress object to steal secret credentials from the cluster,” Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, SAYS of CVE-2023-5043 and CVE-2023-5044.

Successful exploitation of the flaws may allow an adversary to inject arbitrary code into the ingress controller process, and gain unauthorized access to sensitive data.

Cybersecurity

CVE-2022-4886, resulting from a lack of validation in the “spec.rules().http.paths().path” field, allows an attacker with access to the Ingress object to siphon Kubernetes credentials API from the ingress controller.

“In Ingress matterthe operator can define which incoming HTTP path is routed to which internal path,” Hirschberg said. “The vulnerable application does not properly check the validity of the internal path and it may point to an internal file with contains the service account token that is the client credential for authenticating against the API server.”

In the absence of fixes, software maintainers have released mitigations that include enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag to prevent Ingress from being created. objects with invalid characters and enforce additional restrictions.

ARMO says that updating NGINX to version 1.19, along with adding the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.

“Even though they’re pointing in different directions, all of these vulnerabilities point to the same root problem,” Hirschberg said.

“The fact that ingress controllers have access to TLS secrets and Kubernetes APIs by design makes them workloads with high privilege scope. Additionally, because they are always public internet facing components, they it’s too weak for external traffic to enter the cluster through them.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment