Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

Trending 1 month ago
  1. Home
  2. Security
  3. Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets

Three unpatched high-severity bugs successful nan NGINX ingress controller tin beryllium abused by miscreants to bargain credentials and different secrets from Kubernetes clusters. 

The vulnerabilities, tracked arsenic CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed connected October 27, and are listed arsenic presently awaiting triage. It's unclear if immoderate of nan flaws person been exploited.

The Register did not instantly person a consequence to questions, including if nan bugs person been recovered and exploited and erstwhile a spot will beryllium issued.

All 3 flaws impact those pinch nan NGINX ingress controller for Kubernetes that uses NGINX arsenic a reverse proxy and load balancer.

The first two, CVE-2023-5043 and CVE-2023-5044, are some owed to improper input validation and tin beryllium exploited to inject arbitrary code, get high-level credentials and bargain each secrets from nan cluster. Both are rated "high" severity bugs," received CVSS ratings of 7.6 retired of 10, and impact versions 1.9.0 and earlier.

To mitigate some issues, nan Kubernetes Security Response Committee's CJ Cullen recommends that ingress admins "set nan --enable-annotation-validation emblem to enforce restrictions connected nan contents of ingress-nginx note fields." 

  • F5 hurriedly squashes BIG-IP distant codification execution bug
  • Pro-Russia group exploits Roundcube zero-day successful attacks connected European authorities emails
  • LockBit alleges it boarded Boeing, stole 'sensitive data'
  • Apple drops urgent spot against obtuse TriangleDB iPhone malware

The 3rd issue, CVE-2022-4886, received an 8.8 CVSS severity score. If personification tin create aliases update ingress objects, they tin utilization this bug to get Kubernetes API credentials from nan ingress controller, and past usage that entree to bargain each secrets successful nan cluster. It affects versions 1.8.0 and earlier.

Mitigating this flaw depends connected nan configuration of nan pathType field, which defines nan proxy behavior. If nan pathType is configured arsenic "Exact" aliases "Prefix," it should contradict immoderate ingress pinch invalid characters, we're told:

If nan pathType uses "ImplementationSpecific," however, past it's recommended that admins group a argumentation that blocks nan malicious way arsenic shown successful this Open Policy Agent example.

While they are 3 abstracted issues, "all of these vulnerabilities constituent to nan aforesaid underlying problem," according to Kubernetes information patient Armo's co-founder and Chief Technology Officer Ben Hirschberg.

"The truth that ingress controllers person entree to TLS secrets and Kubernetes API by creation makes them workloads pinch precocious privilege scope," Hirschberg wrote successful a blog astir nan 3 bugs. "In addition, since they are often nationalist net facing components, they are very susceptible to outer postulation entering nan cluster done them." ®

Related Article

60 US credit unions offline after ransomware infects backend cloud outfit

60 US credit unions offline after ransomware infects backend cloud outfit

1 day ago
Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

1 day ago
UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

1 day ago
US readies prison cell for another Russian Trickbot developer

US readies prison cell for another Russian Trickbot developer

1 day ago
Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

1 day ago
Interpol makes first border arrest using Biometric Hub to ID suspect

Interpol makes first border arrest using Biometric Hub to ID suspect

1 day ago

Trending

1. Texas
2. Kentucky basketball
3. UFC
4. Duke Basketball
5. Boise State football
6. Suns
7. Tulane football
8. House of the Dragon Season 2
9. Florida State
10. Philippines earthquake

Popular Article

These developers are doing something amazing with iPhone and iPad apps

These developers are doing something amazing with iPhone and iPad apps

14 hours ago
The best movies on Apple TV+ right now (December 2023)

The best movies on Apple TV+ right now (December 2023)

14 hours ago
7 best funny Christmas movies you should watch this holiday season

7 best funny Christmas movies you should watch this holiday season

14 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

13 hours ago
iOS 17: How to share contacts using Apple’s amazing NameDrop feature

iOS 17: How to share contacts using Apple’s amazing NameDrop feature

16 hours ago
The Game Awards 2023: how to watch and what to expect

The Game Awards 2023: how to watch and what to expect

15 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.