New vulnerabilities in the NGINX Ingress Controller for Kubernetes

Three new high-severity security vulnerabilities have been discovered in the NGINX Ingress Controller for Kubernetes, which could be exploited by an attacker to steal secret credentials from the cluster.

The vulnerabilities discovered

The vulnerabilities are as follows:

• CVE-2022-4886 (CVSS score: 8.8): Ingress-nginx path sanitization can be bypassed to obtain Ingress-nginx controller credentials.
• CVE-2023-5043 (CVSS score: 7.6): Annotation injection in Ingress-nginx causes arbitrary command execution.
• CVE-2023-5044 (CVSS score: 7.6): Code injection via the "nginx.ingress.kubernetes.io/permanent-redirect" annotation.

“These vulnerabilities allow an attacker, capable of controlling the configuration of the Ingress object, to steal secret credentials from the cluster,” said Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, regarding CVE-2023 -5043 and CVE-2023-5044.

The consequences of vulnerabilities

Exploitation of the vulnerability could allow an attacker to inject arbitrary code into the ingress controller process and gain unauthorized access to sensitive data.

CVE-2022-4886, the result of a lack of validation in the "spec.rules[].http.paths[].path" field, allows an attacker with access to the Ingress object to steal credentials from the input controller.

To address the CVE-2023-5043 and CVE-2023-5044 vulnerabilities, ARMO suggests updating NGINX to version 1.19 and enabling the "--enable-annotation-validation" command line configuration.

The risks associated with input controllers

“Despite pointing in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg said. “The fact that ingress controllers have access to TLS secrets and the Kubernetes API by design makes them workloads with a high level of privilege. Furthermore, because they are often components exposed to the Internet, they are very vulnerable to access by external traffic to the cluster through them".