Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets
Just tricks, no treats with these 3 vulns
Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters.
The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited.
The Register did not immediately receive a response to questions, including if the bugs have been found and exploited and when a patch will be issued.
All three flaws affect those with the NGINX ingress controller for Kubernetes that uses NGINX as a reverse proxy and load balancer.
The first two, CVE-2023-5043 and CVE-2023-5044, are both due to improper input validation and can be exploited to inject arbitrary code, obtain high-level credentials and steal all secrets from the cluster. Both are rated "high" severity bugs," received CVSS ratings of 7.6 out of 10, and affect versions 1.9.0 and earlier.
To mitigate both issues, the Kubernetes Security Response Committee's CJ Cullen recommends that ingress admins "set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields."
- F5 hurriedly squashes BIG-IP remote code execution bug
- Pro-Russia group exploits Roundcube zero-day in attacks on European government emails
- LockBit alleges it boarded Boeing, stole 'sensitive data'
- Apple drops urgent patch against obtuse TriangleDB iPhone malware
The third issue, CVE-2022-4886, received an 8.8 CVSS severity score. If someone can create or update ingress objects, they can exploit this bug to obtain Kubernetes API credentials from the ingress controller, and then use that access to steal all secrets in the cluster. It affects versions 1.8.0 and earlier.
Mitigating this flaw depends on the configuration of the pathType field, which defines the proxy behavior. If the pathType is configured as "Exact" or "Prefix," it should deny any ingress with invalid characters, we're told:
When pathType is configured as Exact or Prefix, there is more strict validation, allowing only paths starting with "/" and containing only alphanumeric characters and "-", "_" and additional "/".
If the pathType uses "ImplementationSpecific," however, then it's recommended that admins set a policy that blocks the malicious path as shown in this Open Policy Agent example.
While they are three separate issues, "all of these vulnerabilities point to the same underlying problem," according to Kubernetes security firm Armo's co-founder and Chief Technology Officer Ben Hirschberg.
"The fact that ingress controllers have access to TLS secrets and Kubernetes API by design makes them workloads with high privilege scope," Hirschberg wrote in a blog about the three bugs. "In addition, since they are often public internet facing components, they are very vulnerable to external traffic entering the cluster through them." ®