InfoSecBulletin Cybersecurity for mankind
Three unpatched security flaws in the NGINX Ingress controller for Kubernetes have been revealed. These flaws have a high severity level and could be used by a malicious actor to steal secret credentials from the cluster.
The vulnerabilities are as follows:
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
CVE-2022-4886 (CVSS score: 8.8) – Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller.
CVE-2023-5043 (CVSS score: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution.
CVE-2023-5044 (CVSS score: 7.6) – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
The vulnerabilities CVE-2023-5043 and CVE-2023-5044 allow an attacker to steal secret credentials from the cluster.
Exploiting the flaws could let a person inject code into the ingress controller process, and get access to sensitive data without permission.
CVE-2022-4886 allows an attacker to steal Kubernetes API credentials from the ingress controller by exploiting a lack of validation in the “spec.rules[].http.paths[].path” field.
The operator can define the routing of incoming HTTP paths in the Ingress object. However, the vulnerable application does not properly check the validity of the inner path. This means that the inner path can point to an internal file that contains the service account token, which is used for authentication against the API server.
To address the issue, the software maintainers have provided solutions. These involve enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag. By doing so, the creation of Ingress objects with invalid characters is prevented, and extra limitations are enforced.
ARMO said that updating NGINX to version 1.19, alongside adding the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Although they point in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg said.
For more information click here.
