Oct 30, 2023NewsroomKubernetes / Server Security

Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.

The vulnerabilities are as follows –

• CVE-2022-4886 (CVSS score: 8.8) – Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller
• CVE-2023-5043 (CVSS score: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution
• CVE-2023-5044 (CVSS score: 7.6) – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation

“These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster,” Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044.

Successful exploitation of the flaws could allow an adversary to inject arbitrary code into the ingress controller process, and gain unauthorized access to sensitive data.

CVE-2022-4886, a result of a lack of validation in the “spec.rules[].http.paths[].path” field, permits an attacker with access to the Ingress object to siphon Kubernetes API credentials from the ingress controller.

“In the Ingress object, the operator can define which incoming HTTP path is routed to which inner path,” Hirschberg noted. “The vulnerable application does not check properly the validity of the inner path and it can point to the internal file which contains the service account token that is the client credential for authentication against the API server.”

In the absence of fixes, the maintainers of the software have released mitigations that involve enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag to prevent the creation of Ingress objects with invalid characters and enforce additional restrictions.

ARMO said that updating NGINX to version 1.19, alongside adding the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.

“Although they point in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg said.

“The fact that ingress controllers have access to TLS secrets and Kubernetes API by design makes them workloads with high privilege scope. In addition, since they are often public internet facing components, they are very vulnerable to external traffic entering the cluster through them.”