Three unpatched high-severity safety flaws have been disclosed within the NGINX Ingress controller for Kubernetes that may very well be weaponized by a risk actor to steal secret credentials from the cluster.
The vulnerabilities are as follows –
- CVE-2022-4886 (CVSS rating: 8.8) – Ingress-nginx path sanitization might be bypassed to acquire the credentials of the ingress-nginx controller
- CVE-2023-5043 (CVSS rating: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution
- CVE-2023-5044 (CVSS rating: 7.6) – Code injection by way of nginx.ingress.kubernetes.io/permanent-redirect annotation
“These vulnerabilities allow an attacker who can management the configuration of the Ingress object to steal secret credentials from the cluster,” Ben Hirschberg, CTO and co-founder of Kubernetes safety platform ARMO, mentioned of CVE-2023-5043 and CVE-2023-5044.
Profitable exploitation of the issues might permit an adversary to inject arbitrary code into the ingress controller course of, and achieve unauthorized entry to delicate information.
CVE-2022-4886, a results of an absence of validation within the “spec.guidelines[].http.paths[].path” subject, permits an attacker with entry to the Ingress object to siphon Kubernetes API credentials from the ingress controller.
“Within the Ingress object, the operator can outline which incoming HTTP path is routed to which internal path,” Hirschberg famous. “The susceptible software doesn’t examine correctly the validity of the internal path and it could level to the inner file which incorporates the service account token that’s the shopper credential for authentication towards the API server.”
Within the absence of fixes, the maintainers of the software program have launched mitigations that contain enabling the “strict-validate-path-type” choice and setting the –enable-annotation-validation flag to forestall the creation of Ingress objects with invalid characters and implement extra restrictions.
ARMO mentioned that updating NGINX to model 1.19, alongside including the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Though they level in several instructions, all of those vulnerabilities level to the identical underlying downside,” Hirschberg mentioned.
“The truth that ingress controllers have entry to TLS secrets and techniques and Kubernetes API by design makes them workloads with excessive privilege scope. As well as, since they’re usually public web going through parts, they’re very susceptible to exterior site visitors coming into the cluster by means of them.”
