NGINX Ingress Controller for Kubernetes Vulnerabilities Allow for Secret Theft
Recently, three high severity vulnerabilities were discovered in the NGINX Ingress controller for Kubernetes. These allow for a malicious actor to steal the secret credentials from the cluster if they have controller of the Ingress object configuration. Exploitation of CVE-2023-5043 and CVE-2023-5044 allow arbitrary code injections into the Ingress controller process, thereby giving the hacker unauthorized access to sensitive data such as secret credentials. The other vulnerability (CVE-2022-4886) is the lack of field validation, allowing an attacker to steal Kubernetes API credentials from the Ingress controller.
While these vulnerabilities are each a little different, they all allow for an attacker to do the same thing. An operator of the cluster can define which inbound HTTP path is routed to which inner path, and since the application does not validate the validity of the inner path, it can be pointed to an internal file containing the service account token for API server authentication. The ingress controller has access to secret credentials and the Kubernetes API and is usually public facing, which makes these findings particularly dangerous. Especially because the default NGINX Ingress controller has access to all secrets in the Kubernetes cluster.
You can check to see if you use Ingress Controllers from NGINX by issuing the command:
kubectl get po -n ingress-nginxIf this is the case, upgrade to the latest version (versions 1.9.0 and earlier are affected). In addition, set the “--enable-annotation-validation” flag to enforce restrictions on the contents of Ingress controller annotation fields. Beyond that, NGINX also provides additional security by setting OpenPolicyAgent and PathType enforcement.
If you are struggling with managing your vulnerabilities and risk, book a demo to see how Glassportal can make things easier: demo@glassportal.io
