Three unpatched high-severity security vulnerabilities exist in Kubernetes' NGINX Ingress controller, potentially allowing attackers to steal confidential credentials from the cluster.
These vulnerabilities include:
CVE-2022-4886 (CVSS Score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the Ingress-nginx controller
CVE-2023-5043 (CVSS score: 7.6) - Ingress-nginx annotation injection leads to arbitrary command execution
CVE-2023-5044 (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation
Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044: "These vulnerabilities allow an attacker to control the Ingress object configuration and thereby steal confidential credentials from the cluster. "
Successful exploitation of these vulnerabilities could allow an attacker to inject arbitrary code into the Ingress controller process and gain unauthorized access to sensitive data.
cyber security
CVE-2022-4886 is caused by a lack of validation of the "spec.rules[].http.paths[].path" field, allowing an attacker with access to the Ingress object to steal Kubernetes API credentials from the Ingress controller.
Hirschberg pointed out: "In the Ingress object, the operator can define which incoming HTTP path is routed to which internal path. A vulnerable application fails to properly check the validity of the internal path, which may point to the internal path containing the service account token. file, the token is the client's credentials to authenticate against the API server."
In the absence of a fix, the maintainers of the software have released mitigations including enabling the "strict-validate-path-type" option and setting the --enable-annotation-validation flag to prevent the creation of Ingress objects with invalid characters and Enforce additional restrictions.
ARMO stated that updating NGINX to version 1.19 and adding the “–enable-annotation-validation” command line configuration can solve CVE-2023-5043 and CVE-2023-5044.
"Although they point to different problems, all of these vulnerabilities stem from the same underlying issue," Hirschberg said.
"The fact that Ingress controllers are designed to have access to TLS secrets and Kubernetes APIs makes them workloads with high permission scope. Additionally, since they are typically public internet-facing components, they are very vulnerable to ingress through them Impact of external traffic to the cluster.”
原创文章,作者:首席安全官,如若转载,请注明出处:https://cncso.com/en/security-vulnerability-found-in-kubernetes-nginx-controller-html