3 unpatched substantial-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal key credentials from the cluster.
The vulnerabilities are as follows –
- CVE-2022-4886 (CVSS rating: 8.8) – Ingress-nginx path sanitization can be bypassed to acquire the qualifications of the ingress-nginx controller
- CVE-2023-5043 (CVSS score: 7.6) – Ingress-nginx annotation injection triggers arbitrary command execution
- CVE-2023-5044 (CVSS score: 7.6) – Code injection by using nginx.ingress.kubernetes.io/long term-redirect annotation
“These vulnerabilities help an attacker who can control the configuration of the Ingress item to steal secret qualifications from the cluster,” Ben Hirschberg, CTO and co-founder of Kubernetes security system ARMO, mentioned of CVE-2023-5043 and CVE-2023-5044.
Successful exploitation of the flaws could make it possible for an adversary to inject arbitrary code into the ingress controller process, and achieve unauthorized entry to sensitive data.
CVE-2022-4886, a result of a deficiency of validation in the “spec.rules[].http.paths[].path” industry, permits an attacker with access to the Ingress item to siphon Kubernetes API credentials from the ingress controller.
“In the Ingress object, the operator can define which incoming HTTP path is routed to which internal route,” Hirschberg mentioned. “The vulnerable application does not check effectively the validity of the inner path and it can stage to the inner file which contains the service account token that is the shopper credential for authentication versus the API server.”
In the absence of fixes, the maintainers of the computer software have introduced mitigations that entail enabling the “rigorous-validate-path-type” possibility and placing the –permit-annotation-validation flag to reduce the development of Ingress objects with invalid people and enforce further limits.
ARMO reported that updating NGINX to version 1.19, together with adding the “–permit-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Whilst they point in distinct instructions, all of these vulnerabilities issue to the exact same underlying problem,” Hirschberg explained.
“The simple fact that ingress controllers have obtain to TLS techniques and Kubernetes API by design and style helps make them workloads with significant privilege scope. In addition, because they are generally community internet going through factors, they are extremely vulnerable to exterior targeted traffic coming into the cluster by them.”
Uncovered this posting fascinating? Follow us on Twitter and LinkedIn to go through additional exclusive content we publish.
Some parts of this article are sourced from:
thehackernews.com