Three unpatched high-severity security flaws have been disclosed within the NGINX Ingress controller for Kubernetes that may very well be weaponized by a risk actor to steal secret credentials from the cluster.
The vulnerabilities are as follows –
- CVE-2022-4886 (CVSS rating: 8.8) – Ingress-nginx path sanitization will be bypassed to acquire the credentials of the ingress-nginx controller
- CVE-2023-5043 (CVSS rating: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution
- CVE-2023-5044 (CVSS rating: 7.6) – Code injection through nginx.ingress.kubernetes.io/permanent-redirect annotation
“These vulnerabilities allow an attacker who can management the configuration of the Ingress object to steal secret credentials from the cluster,” Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, mentioned of CVE-2023-5043 and CVE-2023-5044.
Profitable exploitation of the failings might permit an adversary to inject arbitrary code into the ingress controller course of, and achieve unauthorized entry to delicate information.
CVE-2022-4886, a results of a scarcity of validation within the “spec.guidelines[].http.paths[].path” discipline, permits an attacker with entry to the Ingress object to siphon Kubernetes API credentials from the ingress controller.
“Within the Ingress object, the operator can outline which incoming HTTP path is routed to which internal path,” Hirschberg famous. “The susceptible utility doesn’t test correctly the validity of the internal path and it could actually level to the interior file which incorporates the service account token that’s the shopper credential for authentication towards the API server.”
Within the absence of fixes, the maintainers of the software program have launched mitigations that contain enabling the “strict-validate-path-type” choice and setting the –enable-annotation-validation flag to stop the creation of Ingress objects with invalid characters and implement further restrictions.
ARMO mentioned that updating NGINX to model 1.19, alongside including the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Though they level in several instructions, all of those vulnerabilities level to the identical underlying downside,” Hirschberg mentioned.
“The truth that ingress controllers have entry to TLS secrets and techniques and Kubernetes API by design makes them workloads with excessive privilege scope. As well as, since they’re typically public web going through parts, they’re very susceptible to exterior visitors getting into the cluster via them.”
