Three High-Severity Vulnerabilities Found in NGINX Ingress Controller
Recently, cybersecurity experts have reported the discovery of three unpatched, high-severity vulnerabilities in the NGINX Ingress controller for Kubernetes. These flaws pose a significant risk, as they can be exploited by malicious actors to access sensitive credentials stored within the cluster.
The vulnerabilities in question, labeled as CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044, all have critical CVSS scores indicating the potential for severe impact. CVE-2022-4886 allows for path sanitization bypass, enabling attackers to extract credentials from the ingress-nginx controller. In addition, CVE-2023-5043 is associated with annotation injection, which could lead to arbitrary command execution, while CVE-2023-5044 involves code injection via a specific NGINX annotation.
Ben Hirschberg, CTO and co-founder of ARMO, a Kubernetes security platform, stated that these vulnerabilities could empower an attacker controlling the Ingress object’s configuration to exfiltrate secret credentials. This successful exploitation could allow unauthorized access to sensitive data by injecting arbitrary code into the ingress controller process.
CVE-2022-4886 results from inadequate validation within the “spec.rules[].http.paths[].path” field, enabling an attacker with an Ingress object to siphon Kubernetes API credentials directly from the ingress controller. Hirschberg elaborated that the insecure application fails to properly validate inner paths, allowing them to point to internal files containing vital service account tokens necessary for authentication against the API server.
In light of the lack of patches, software maintainers have released recommendations to mitigate the risk associated with these vulnerabilities. Users are advised to enable the “strict-validate-path-type” option and implement additional restrictions by utilizing the –enable-annotation-validation flag, which prevents the creation of Ingress objects that contain invalid characters.
To address CVE-2023-5043 and CVE-2023-5044, ARMO recommends updating NGINX to version 1.19 and adding the –enable-annotation-validation command-line option. Hirschberg noted that although these vulnerabilities target different aspects of the system, they highlight a shared underlying issue.
Ingress controllers inherently possess access to TLS secrets and Kubernetes API due to their design, granting them a high-privilege scope. This accessibility renders them particularly vulnerable, especially as they often serve as exposed components facing the public internet.
Given these developments, business owners and IT professionals must be vigilant in assessing their cybersecurity frameworks. The potential exploitation of these vulnerabilities reflects an increasing need for robust security measures, particularly concerning initial access and privilege escalation techniques commonly identified within the MITRE ATT&CK framework. As threat actors continually evolve their methodologies, proactive monitoring and timely updates remain paramount in safeguarding sensitive data within Kubernetes environments.
