Urgent New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes 2023

Three unpatched security vulnerabilities with a high-severity impact have been publicly disclosed in the NGINX Ingress controller for Kubernetes. These vulnerabilities have the potential to be exploited by threat actors to steal sensitive credentials from the cluster.

The identified vulnerabilities are as follows:

CVE-2022-4886 (CVSS score: 8.8): This vulnerability allows for the bypass of Ingress-nginx path sanitization, ultimately leading to the theft of credentials from the Ingress-nginx controller.

CVE-2023-5043 (CVSS score: 7.6): In this case, Ingress-nginx annotation injection can result in arbitrary command execution.

CVE-2023-5044 (CVSS score: 7.6): This vulnerability involves code injection via the nginx.ingress.kubernetes.io/permanent-redirect annotation.

Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, emphasized that these vulnerabilities empower an attacker with control over the Ingress object's configuration to pilfer secret credentials from the cluster, particularly referring to CVE-2023-5043 and CVE-2023-5044.

Successful exploitation of these flaws could enable an adversary to inject unauthorized code into the ingress controller process, potentially leading to unauthorized access to sensitive data.

CVE-2022-4886, stemming from a lack of validation in the "spec.rules[].http.paths[].path" field, grants an attacker with access to the Ingress object the capability to extract Kubernetes API credentials from the ingress controller.

Hirschberg pointed out that within the Ingress object, an operator can specify how incoming HTTP paths are routed to internal paths. However, the vulnerable application does not perform adequate validation of the internal path, potentially pointing to the internal file containing the service account token used for authentication against the API server.

While official fixes are pending, the maintainers of the software have released mitigations. These measures involve activating the "strict-validate-path-type" option and setting the --enable-annotation-validation flag, which restricts the creation of Ingress objects with invalid characters and enforces additional security measures.

According to ARMO, updating NGINX to version 1.19 and incorporating the "--enable-annotation-validation" command-line configuration can effectively address CVE-2023-5043 and CVE-2023-5044.

Hirschberg emphasized the common underlying issue across all these vulnerabilities. Ingress controllers inherently possess access to TLS secrets and the Kubernetes API, rendering them workloads with significant privilege. Moreover, since they are often exposed to the public internet, they are particularly susceptible to external traffic infiltrating the cluster through these components.