Cybersecurity experts have discovered three critical vulnerabilities in the controller of incoming Nginx traffic, which could potentially lead to the leakage of accounting data and other secrets from Kubernetes clusters.
The vulnerabilities, identified on October 27, have been given the designations CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886. It is unclear whether these vulnerabilities have been used in any real attacks, and the release date for the fix is still unknown.
All three vulnerabilities impact nginx Ingress Controller, which is used in Kubernetes as a reverse proxy and load balancer, up to version 1.9.0.
The first two vulnerabilities, CVE-2023-5043 and CVE-2023-5044, result from insufficient verification of input data, and they can allow attackers to introduce arbitrary code, gain access to privileged accounting data, and steal all cluster secrets. Both vulnerabilities have been rated 7.6 out of 10 on the CVSS scale.
The Kubernetes security response committee advises implementing the flag “–enable-annotation-validation” for INGRESS as a precaution, in order to enhance the check of the contents of the annotation fields of INGRESS-NHINX.
The third vulnerability, CVE-2022-4886, has a higher rating of 8.8 on the CVSS scale. Exploiting this vulnerability can give attackers access to the Kubernetes API from the INGRESS controller, thereby allowing them to steal all cluster secrets. This vulnerability affects versions up to 1.8.0.
The severity of the consequences of this vulnerability depends on the configuration of the “Pathtype” field, which determines the behavior of the proxy. Setting “Pathtype” to “Exact” or “Prefix” will block any Ingress with unacceptable symbols.
If “pathType” is set to “ImplementationSpecific”, administrators are advised to implement a policy that blocks malicious paths, as shown in the example of open policy agent.
Ingress security is of particular concern as they inherently access TLS secrets and the Kubernetes API, making them high-value targets for attackers. With these vulnerabilities being exposed to the internet, the risk of external attacks significantly increases.
Ben Hirschberg, co-founder and chief technical director of ARMO, a company specializing in Kubernetes security, emphasizes the significance of these vulnerabilities and the need for immediate attention from cybersecurity experts.