Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

Trending 1 month ago

Three unpatched high-severity bugs successful nan NGINX ingress controller tin beryllium abused by miscreants to bargain credentials and different secrets from Kubernetes clusters. 

The vulnerabilities, tracked arsenic CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed connected October 27, and are listed arsenic presently awaiting triage. It's unclear if immoderate of nan flaws person been exploited.

The Register did not instantly person a consequence to questions, including if nan bugs person been recovered and exploited and erstwhile a spot will beryllium issued.

All 3 flaws impact those pinch nan NGINX ingress controller for Kubernetes that uses NGINX arsenic a reverse proxy and load balancer.

The first two, CVE-2023-5043 and CVE-2023-5044, are some owed to improper input validation and tin beryllium exploited to inject arbitrary code, get high-level credentials and bargain each secrets from nan cluster. Both are rated "high" severity bugs," received CVSS ratings of 7.6 retired of 10, and impact versions 1.9.0 and earlier.

To mitigate some issues, nan Kubernetes Security Response Committee's CJ Cullen recommends that ingress admins "set nan --enable-annotation-validation emblem to enforce restrictions connected nan contents of ingress-nginx note fields." 

  • F5 hurriedly squashes BIG-IP distant codification execution bug
  • Pro-Russia group exploits Roundcube zero-day successful attacks connected European authorities emails
  • LockBit alleges it boarded Boeing, stole 'sensitive data'
  • Apple drops urgent spot against obtuse TriangleDB iPhone malware

The 3rd issue, CVE-2022-4886, received an 8.8 CVSS severity score. If personification tin create aliases update ingress objects, they tin utilization this bug to get Kubernetes API credentials from nan ingress controller, and past usage that entree to bargain each secrets successful nan cluster. It affects versions 1.8.0 and earlier.

Mitigating this flaw depends connected nan configuration of nan pathType field, which defines nan proxy behavior. If nan pathType is configured arsenic "Exact" aliases "Prefix," it should contradict immoderate ingress pinch invalid characters, we're told:

If nan pathType uses "ImplementationSpecific," however, past it's recommended that admins group a argumentation that blocks nan malicious way arsenic shown successful this Open Policy Agent example.

While they are 3 abstracted issues, "all of these vulnerabilities constituent to nan aforesaid underlying problem," according to Kubernetes information patient Armo's co-founder and Chief Technology Officer Ben Hirschberg.

"The truth that ingress controllers person entree to TLS secrets and Kubernetes API by creation makes them workloads pinch precocious privilege scope," Hirschberg wrote successful a blog astir nan 3 bugs. "In addition, since they are often nationalist net facing components, they are very susceptible to outer postulation entering nan cluster done them." ®