Executive Summary
Three critical security vulnerabilities have been identified in the NGINX Ingress controller for Kubernetes, which, if exploited, could lead to the theft of secret credentials from the cluster by malicious actors.
The flaws highlight the potential for unauthorised access to sensitive data and arbitrary code injection into the ingress controller process.
Given the high-severity scores of these vulnerabilities, immediate mitigation measures are imperative to prevent potential exploitation, especially since a fix has not been released yet.
The disclosed flaws underscore a pressing need for stringent validation and configuration checks in handling ingress objects within Kubernetes environments.
NGINX Ingress Controller
The NGINX Ingress Controller for Kubernetes is a vital component that manages external access to the services in a Kubernetes cluster, typically HTTP. It provides configurable traffic routing and handles the ingress of network communication into the cluster, directing the traffic to the appropriate services based on defined rules.
Ingress Controllers are crucial for the functionality and security of Kubernetes clusters, making them a significant point of focus in ensuring the robustness of the network security posture. They act as a bridge between external traffic and the internal services of the Kubernetes cluster, thus playing a pivotal role in managing and securing network communication.
The NGINX Ingress Controller is an open-source project that is owned by the Kubernetes community. The project is maintained by the Kubernetes community and is hosted on GitHub.
Kubernetes, an open-source container orchestration system for automating software deployment, scaling, and management, is owned by the Linux Foundation, a non-profit organisation founded in 2000. The Linux Foundation is responsible for the governance and maintenance of Kubernetes, with a Board of Directors composed of executives from major technology companies like Facebook, Microsoft, and IBM.
CVE-2022-4886
Vulnerability: Ingress-nginx Path Sanitization Bypass
CVSS Score: 8.8
Impact: This vulnerability arises from inadequate validation in the “spec.rules[].http.paths[].path” field, allowing an attacker with access to the Ingress object to extract Kubernetes API credentials from the ingress controller. The flaw could enable an attacker to redirect incoming HTTP paths to internal files containing sensitive service account tokens used for authentication against the API server.
Mitigation: Until a patch is released, mitigating this vulnerability involves enabling the “strict-validate-path-type” option and setting the -enable-annotation-validation
flag. These measures help in averting the creation of Ingress objects with invalid characters and imposing additional restrictions.
CVE-2023-5043
Vulnerability Title: Ingress-nginx Annotation Injection
CVSS Score: 7.6
Impact: This vulnerability could allow an attacker to execute arbitrary commands by exploiting the ingress-nginx annotation. Successful exploitation could lead to unauthorised access and potentially further compromise of the Kubernetes cluster.
Mitigation: Updating NGINX to version 1.19 and adding the -enable-annotation-validation
command-line configuration are recommended to resolve this vulnerability. This configuration helps in preventing malicious annotation injections.
CVE-2023-5044
Vulnerability Title: Code Injection via nginx.ingress.kubernetes.io/permanent-redirect Annotation
CVSS Score: 7.6
Impact: Similar to CVE-2023-5043, this flaw could permit an attacker to inject malicious code through a specific annotation, escalating the risk of unauthorised access and data compromise within the Kubernetes cluster.
Mitigation: As with CVE-2023-5043, mitigation entails updating NGINX to version 1.19 and implementing the -enable-annotation-validation
command-line configuration to counteract potential code injection attempts.
Takeaways
The identified vulnerabilities within the NGINX Ingress Controller emphasise the inherent risks associated with managing ingress traffic and configurations in Kubernetes environments. Specifically, the flaws highlight the potential for unauthorised access and data compromise if stringent validation and configuration checks are not enforced diligently.
The NGINX Ingress Controller’s role as a gatekeeper underscores the importance of continuous monitoring, timely updates, and adherence to best practices in configuration management to ensure a secure and resilient Kubernetes environment.
The immediate adoption of the suggested mitigation measures is crucial to uphold the integrity and security of Kubernetes environments against potential cyber threats.
- [CVSS 9+] CISA Releases Four Industrial Control Systems Advisories
- Enterprises targeted by ransomware access broker via Microsoft Teams
- AnyDesk Confirms Software Safety Post-Cyber Attack
- Upgrade Chrome Immediately! Google Fixes Potential Drive-by Vulnerability
- Microsoft Launches Security Copilot
- [CVSS 8+] Apple Patches Exploited Vulnerabilities Again