Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 8+] Kubernetes NGINX: Urgent Security Alert

Executive Summary

Three critical security vulnerabilities have been identified in the NGINX Ingress controller for Kubernetes, which, if exploited, could lead to the theft of secret credentials from the cluster by malicious actors.

The flaws highlight the potential for unauthorised access to sensitive data and arbitrary code injection into the ingress controller process.

Given the high-severity scores of these vulnerabilities, immediate mitigation measures are imperative to prevent potential exploitation, especially since a fix has not been released yet.

The disclosed flaws underscore a pressing need for stringent validation and configuration checks in handling ingress objects within Kubernetes environments.

NGINX Ingress Controller

The NGINX Ingress Controller for Kubernetes is a vital component that manages external access to the services in a Kubernetes cluster, typically HTTP. It provides configurable traffic routing and handles the ingress of network communication into the cluster, directing the traffic to the appropriate services based on defined rules.

Ingress Controllers are crucial for the functionality and security of Kubernetes clusters, making them a significant point of focus in ensuring the robustness of the network security posture. They act as a bridge between external traffic and the internal services of the Kubernetes cluster, thus playing a pivotal role in managing and securing network communication.

The NGINX Ingress Controller is an open-source project that is owned by the Kubernetes community. The project is maintained by the Kubernetes community and is hosted on GitHub.

Kubernetes, an open-source container orchestration system for automating software deployment, scaling, and management, is owned by the Linux Foundation, a non-profit organisation founded in 2000. The Linux Foundation is responsible for the governance and maintenance of Kubernetes, with a Board of Directors composed of executives from major technology companies like Facebook, Microsoft, and IBM.

CVE-2022-4886

Vulnerability: Ingress-nginx Path Sanitization Bypass

CVSS Score: 8.8

Impact: This vulnerability arises from inadequate validation in the “spec.rules[].http.paths[].path” field, allowing an attacker with access to the Ingress object to extract Kubernetes API credentials from the ingress controller. The flaw could enable an attacker to redirect incoming HTTP paths to internal files containing sensitive service account tokens used for authentication against the API server.

Mitigation: Until a patch is released, mitigating this vulnerability involves enabling the “strict-validate-path-type” option and setting the -enable-annotation-validation flag. These measures help in averting the creation of Ingress objects with invalid characters and imposing additional restrictions.

CVE-2023-5043

Vulnerability Title: Ingress-nginx Annotation Injection

CVSS Score: 7.6

Impact: This vulnerability could allow an attacker to execute arbitrary commands by exploiting the ingress-nginx annotation. Successful exploitation could lead to unauthorised access and potentially further compromise of the Kubernetes cluster.

Mitigation: Updating NGINX to version 1.19 and adding the -enable-annotation-validation command-line configuration are recommended to resolve this vulnerability. This configuration helps in preventing malicious annotation injections.

CVE-2023-5044

Vulnerability Title: Code Injection via nginx.ingress.kubernetes.io/permanent-redirect Annotation

CVSS Score: 7.6

Impact: Similar to CVE-2023-5043, this flaw could permit an attacker to inject malicious code through a specific annotation, escalating the risk of unauthorised access and data compromise within the Kubernetes cluster.

Mitigation: As with CVE-2023-5043, mitigation entails updating NGINX to version 1.19 and implementing the -enable-annotation-validation command-line configuration to counteract potential code injection attempts.

Takeaways

The identified vulnerabilities within the NGINX Ingress Controller emphasise the inherent risks associated with managing ingress traffic and configurations in Kubernetes environments. Specifically, the flaws highlight the potential for unauthorised access and data compromise if stringent validation and configuration checks are not enforced diligently.

The NGINX Ingress Controller’s role as a gatekeeper underscores the importance of continuous monitoring, timely updates, and adherence to best practices in configuration management to ensure a secure and resilient Kubernetes environment.

The immediate adoption of the suggested mitigation measures is crucial to uphold the integrity and security of Kubernetes environments against potential cyber threats.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.