Critical NGINX Ingress Security Flaw Exposes Kubernetes API Server Credentials to Attackers

Table of contents

The NGINX Ingress Controller is a tool employed for overseeing the routing process, leveraging the well-established NGINX reverse proxy server. Meanwhile, Kubernetes serves as an API object facilitating HTTP and HTTPS routing for services based on specific criteria, such as hostnames and URL paths.

The recent revelations of unpatched security flaws in the NGINX Ingress controller for Kubernetes have raised alarm bells, underscoring the critical importance of addressing these vulnerabilities promptly.

Three high-severity security flaws have emerged, casting a shadow over NGINX Ingress Controller’s integrity. These vulnerabilities, if exploited, could potentially allow threat actors to pilfer secret credentials from Kubernetes clusters, posing a significant security risk.

  1. CVE-2022-4886 (CVSS score: 8.8): This vulnerability centers on the bypassing of Ingress-nginx path sanitization. It could enable attackers to obtain critical credentials of the ingress-nginx controller, creating a pathway for unauthorized access. It’s important to note that the default ingress-nginx controller possesses access to all the secrets within the Kubernetes cluster. However, it’s worth mentioning that this vulnerability does not impact systems lacking ingress-nginx installations. To assess the vulnerability, you can utilize the following command: kubectl get po -n ingress-nginx.
  2. CVE-2023-5043 (CVSS score: 7.6): In this scenario, Ingress-nginx annotation injection opens the door to arbitrary command execution. This could lead to unauthorized access to sensitive data, a scenario that should raise alarm bells for organizations. It’s worth noting that if there are no ingress-nginx installations within the cluster, this vulnerability is not applicable. You can verify this vulnerability using the “kubectl get po -n ingress-nginx” command.
  3. CVE-2023-5044 (CVSS score: 7.6): This vulnerability involves code injection via the nginx.ingress.kubernetes.io/permanent-redirect annotation. If exploited, it could compromise the security of the environment, creating significant risks for Kubernetes clusters. You can employ the above-mentioned command to assess the vulnerability of the affected cluster. Its severity is classified as 7.6 (High). The existence of these two vulnerabilities can be attributed to various scenarios, including multi-tenant clusters, potentially malicious configurations from untrusted sources, utilization of configurations from the web or ChatGPT, or insiders who possess the authority to modify configurations but lack access to the cluster.

Successful exploitation of these vulnerabilities could have far-reaching consequences. Threat actors could inject arbitrary code into the ingress controller process, gaining unauthorized access to sensitive data. In the case of CVE-2022-4886, it’s worth noting that a lack of validation in a specific field can facilitate the siphoning of Kubernetes API credentials from the ingress controller. This flaw is especially concerning as it opens the door to stealing critical credentials for authentication against the API server.

To address these vulnerabilities, the maintainers of NGINX Ingress Controller have released mitigations, ensuring that businesses can act promptly. These include enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag thereby enforcing the restrictions on the ingress-nginx annotation fields. These steps are vital in preventing the creation of Ingress objects with invalid characters and enforcing additional restrictions.

For those looking for comprehensive resolutions, updating NGINX to version 1.19, coupled with adding the “–enable-annotation-validation” command-line configuration, can effectively resolve CVE-2023-5043 and CVE-2023-5044.

It’s crucial to emphasize that these vulnerabilities all point to the same underlying problem. Ingress controllers, designed to handle TLS secrets and Kubernetes API, have a high privilege scope, making them particularly vulnerable to external threats entering the cluster through them.

In a world where cloud computing is the backbone of modern business operations, the security of payment data within cloud infrastructure is non-negotiable. These security flaws underscore the importance of proactive measures to ensure robust security practices. By complying with PCI DSS compliance rules and regulations, organizations can fortify their commitment to data security, customer trust, and sustained growth in an interconnected world.

In the face of these critical NGINX Ingress security flaws, safeguarding your Kubernetes API Server credentials is of utmost importance. Protecting your system requires a comprehensive approach to address these vulnerabilities. Ampcus Cyber specializes in providing tailored PCI DSS compliance Services to enhance your cybersecurity measures. Our team of experts can assist you in identifying and mitigating these security risks, ensuring your Kubernetes cluster remains secure. To stay ahead of potential threats and maintain the integrity of your systems, reach out to Ampcus Cyber for expert guidance and security compliance solutions.

Stay informed and vigilant about security issues like these to safeguard your organization’s data and maintain customer trust.

Enjoyed reading this article? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.