InfoSecBulletin Cybersecurity for mankind
Three unpatched security flaws in the NGINX Ingress controller for Kubernetes have been revealed. These flaws have a high severity level and could be used by a malicious actor to steal secret credentials from the cluster.
The vulnerabilities are as follows:
CVE-2022-4886 (CVSS score: 8.8) – Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller.
CVE-2023-5043 (CVSS score: 7.6) – Ingress-nginx annotation injection causes arbitrary command execution.
CVE-2023-5044 (CVSS score: 7.6) – Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
The vulnerabilities CVE-2023-5043 and CVE-2023-5044 allow an attacker to steal secret credentials from the cluster.
Exploiting the flaws could let a person inject code into the ingress controller process, and get access to sensitive data without permission.
CVE-2022-4886 allows an attacker to steal Kubernetes API credentials from the ingress controller by exploiting a lack of validation in the “spec.rules[].http.paths[].path” field.
The operator can define the routing of incoming HTTP paths in the Ingress object. However, the vulnerable application does not properly check the validity of the inner path. This means that the inner path can point to an internal file that contains the service account token, which is used for authentication against the API server.
To address the issue, the software maintainers have provided solutions. These involve enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag. By doing so, the creation of Ingress objects with invalid characters is prevented, and extra limitations are enforced.
ARMO said that updating NGINX to version 1.19, alongside adding the “–enable-annotation-validation” command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.
“Although they point in different directions, all of these vulnerabilities point to the same underlying problem,” Hirschberg said.
For more information click here.
