The NGINX Ingress controller for Kubernetes has three unpatched high-severity security vulnerabilities that might be used by a threat actor to obtain secret credentials from the cluster.
The following are the weaknesses:
CVE-2022-4886 (with an 8.8 CVSS score) – The credentials of the ingress-nginx controller can be obtained by avoiding the ingress-nginx path sanitization.
CVE-2023-5043 with a 7.6 CVSS score – Random command execution results from the injection of Ingress-nginx annotations.
CVE-2023-5044 with a 7.6 CVSS score – Code injection through the permanent-redirect annotation on nginx.ingress.kubernetes.io
According to Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, “these vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster.” These vulnerabilities are CVE-2023-5043 and CVE-2023-5044.
An attacker may be able to introduce arbitrary code into the ingress controller process and obtain unauthorized access to sensitive data if the vulnerabilities are successfully exploited.
Due to a deficiency in validation inside the “spec.rules[].http.paths[].path” field, CVE-2022-4886 allows an attacker who gains access to the Ingress object to steal credentials for the Kubernetes API from the ingress controller.
“In the Ingress object, the operator can define which incoming HTTP path is routed to which inner path,” Hirschberg stated. “The vulnerable application does not check properly the validity of the inner path and it can point to the internal file which contains the service account token that is the client credential for authentication against the API server.”
Without patches, the software maintainers have made available mitigations that prevent the generation of Ingress objects with incorrect characters and impose additional restrictions by turning on the “strict-validate-path-type” option and setting the –enable-annotation-validation flag.
According to ARMO, CVE-2023-5043 and CVE-2023-5044 can be fixed by upgrading NGINX to version 1.19 and adding the “–enable-annotation-validation” command-line option.
“Although they point in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg stated.
“Workloads with high privilege scope are ingress controllers since they are designed to have access to TLS secrets and the Kubernetes API. Furthermore, because they frequently face the public internet, they are extremely susceptible to outside traffic passing through them and into the cluster.”
