A few unpatched higher-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a menace actor to steal key credentials from the cluster.
The vulnerabilities are as follows –
- CVE-2022-4886 (CVSS rating: 8.8) – Ingress-nginx route sanitization can be bypassed to acquire the qualifications of the ingress-nginx controller
- CVE-2023-5043 (CVSS rating: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution
- CVE-2023-5044 (CVSS rating: 7.6) – Code injection by means of nginx.ingress.kubernetes.io/long-lasting-redirect annotation
“These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret qualifications from the cluster,” Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, stated of CVE-2023-5043 and CVE-2023-5044.
Profitable exploitation of the flaws could let an adversary to inject arbitrary code into the ingress controller approach, and achieve unauthorized access to delicate details.
CVE-2022-4886, a outcome of a absence of validation in the “spec.regulations.http.paths.path” subject, permits an attacker with obtain to the Ingress object to siphon Kubernetes API qualifications from the ingress controller.
“In the Ingress item, the operator can outline which incoming HTTP path is routed to which inner route,” Hirschberg famous. “The vulnerable application does not test adequately the validity of the inner route and it can point to the interior file which contains the services account token that is the customer credential for authentication in opposition to the API server.”
In the absence of fixes, the maintainers of the application have launched mitigations that entail enabling the “strict-validate-route-sort” solution and location the –help-annotation-validation flag to stop the creation of Ingress objects with invalid characters and implement added constraints.
ARMO reported that updating NGINX to edition 1.19, alongside adding the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Although they issue in various instructions, all of these vulnerabilities position to the identical fundamental difficulty,” Hirschberg explained.
“The reality that ingress controllers have obtain to TLS secrets and techniques and Kubernetes API by style and design can make them workloads with large privilege scope. In addition, due to the fact they are usually community internet facing factors, they are really vulnerable to exterior targeted traffic coming into the cluster by means of them.”
Observed this write-up attention-grabbing? Comply with us on Twitter and LinkedIn to examine a lot more exclusive written content we post.
Some elements of this write-up are sourced from: