New vulnerabilities in the NGINX Ingress Controller for Kubernetes
Threats to the integrity and security of Kubernetes clusters
Three new high-severity vulnerabilities have been discovered in the NGINX Ingress Controller for Kubernetes, which could allow an attacker to steal credentials from the cluster. The vulnerabilities involve path sanitization, annotation injection, and code injection. The suggested solution is to update NGINX and enable command line configuration. Ingress controllers are subject to high risks due to their access to secrets and the Kubernetes API.
Three new high-severity security vulnerabilities have been discovered in the NGINX Ingress Controller for Kubernetes, which could be exploited by an attacker to steal secret credentials from the cluster.
The vulnerabilities discovered
The vulnerabilities are as follows:
- CVE-2022-4886 (CVSS score: 8.8): Ingress-nginx path sanitization can be bypassed to obtain Ingress-nginx controller credentials.
- CVE-2023-5043 (CVSS score: 7.6): Annotation injection in Ingress-nginx causes arbitrary command execution.
- CVE-2023-5044 (CVSS score: 7.6): Code injection via the "nginx.ingress.kubernetes.io/permanent-redirect" annotation.
“These vulnerabilities allow an attacker, capable of controlling the configuration of the Ingress object, to steal secret credentials from the cluster,” said Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, regarding CVE-2023 -5043 and CVE-2023-5044.
The consequences of vulnerabilities
Exploitation of the vulnerability could allow an attacker to inject arbitrary code into the ingress controller process and gain unauthorized access to sensitive data.
CVE-2022-4886, the result of a lack of validation in the "spec.rules[].http.paths[].path" field, allows an attacker with access to the Ingress object to steal credentials from the input controller.
To address the CVE-2023-5043 and CVE-2023-5044 vulnerabilities, ARMO suggests updating NGINX to version 1.19 and enabling the "--enable-annotation-validation" command line configuration.
The risks associated with input controllers
“Despite pointing in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg said. “The fact that ingress controllers have access to TLS secrets and the Kubernetes API by design makes them workloads with a high level of privilege. Furthermore, because they are often components exposed to the Internet, they are very vulnerable to access by external traffic to the cluster through them".
Follow us on Telegram for more pills like this11/01/2023 12:10
Marco Verro