In a recent revelation, three significant security flaws have been unveiled in the NGINX Ingress controller for Kubernetes, posing a serious threat of unauthorized access and data theft within the cluster.
Affected Versions
NGINX Ingress controller versions 1.26.0 and earlier are affected by these vulnerabilities.
Vulnerability Details
The identified vulnerabilities are detailed as follows:
- CVE-2023-5043: This vulnerability allows an attacker to inject arbitrary code into the NGINX Ingress controller process by exploiting the
configuration-snippetannotation field. - CVE-2023-5044: This vulnerability allows an attacker to inject arbitrary code into the NGINX Ingress controller process by exploiting the
permanent-redirectannotation field. - CVE-2022-4886: This vulnerability allows an attacker to steal Kubernetes API server credentials from the NGINX Ingress controller process by exploiting the
pathfield in Ingress routing definitions.
According to Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, these vulnerabilities empower attackers to steal secret credentials by manipulating the Ingress object configuration.
What is NGINX Ingress Controller?
NGINX Ingress Controller is a tool that helps you manage traffic to your Kubernetes applications.
It does this by sitting in front of your Kubernetes cluster and routing traffic to the right applications. It can also do things like load balancing, TLS termination, and path-based routing.
Here is an analogy:
Imagine you have a website with a lot of traffic. You want to make sure that your website can handle all of the traffic and that it is always available.
You can use NGINX Ingress Controller to do this. NGINX Ingress Controller will sit in front of your website and distribute the traffic evenly across your servers. It will also make sure that your website is always available, even if one of your servers goes down.
In simpler terms, NGINX Ingress Controller is a traffic cop for your Kubernetes applications. It makes sure that traffic goes to the right applications and that your applications are always available.
Uses of NGINX Ingress Controller:
The NGINX Ingress Controller is a powerful tool that can be used for a variety of purposes, including:
- Load balancing: NGINX Ingress Controller can load balance traffic across multiple Kubernetes pods, ensuring that no single pod is overloaded.
- TLS termination: NGINX Ingress Controller can terminate TLS connections on its behalf, freeing up Kubernetes pods from having to handle TLS encryption and decryption.
- Path-based routing: NGINX Ingress Controller can route traffic to different Kubernetes pods based on the path of the request. For example, you could use NGINX Ingress Controller to route traffic to a different pod for
/api/v1/usersand/api/v2/users. - Authentication and authorization: NGINX Ingress Controller can be used to authenticate and authorize incoming requests before they are forwarded to Kubernetes pods. This can be done using a variety of methods, such as OAuth2, JWT, and basic authentication.
- Web application firewall (WAF): NGINX Ingress Controller can be used to implement a WAF, which can protect your Kubernetes applications from common web application attacks.
In addition to these general-purpose use cases, the NGINX Ingress Controller can also be used for more specific purposes, such as:
- Canary releases: NGINX Ingress Controller can be used to implement canary releases, which allow you to gradually roll out new versions of your Kubernetes applications to production.
- Blue/green deployments: NGINX Ingress Controller can be used to implement blue/green deployments, which allow you to switch between two versions of a Kubernetes application with no downtime.
- API management: NGINX Ingress Controller can be used to manage API traffic, including things like rate limiting, authentication, and authorization.
Impact of Vulnerabilities:
If exploited, these vulnerabilities could allow an attacker to:
- Steal secret credentials from the Kubernetes cluster, including Kubernetes API server credentials.
- Gain full control over the Kubernetes environment.
- Deploy malicious workloads to the Kubernetes cluster.
- Exfiltrate data from the Kubernetes cluster.
Mitigation
To mitigate these vulnerabilities, users of the NGINX Ingress controller are advised to:
- Upgrade to the latest version of the NGINX Ingress controller (1.27.0 or later).
- Disable the
configuration-snippetandpermanent-redirectannotation fields in Ingress resources. - Use a Kubernetes Secret to store Kubernetes API server credentials.
- Review Ingress routing definitions to ensure that the
pathfield is not being used to exploit this vulnerability.
Additional Recommendations
In addition to the mitigation steps listed above, users of the NGINX Ingress controller are also advised to:
- Implement least privilege access for the NGINX Ingress controller process.
- Monitor the NGINX Ingress controller process for suspicious activity.
- Implement a web application firewall (WAF) to protect the NGINX Ingress controller from common web application attacks.
Exploiting these flaws can result in injecting unauthorized code into the ingress controller process, providing adversaries with access to sensitive data.
Addressing CVE-2022-4886, ARMO suggests updating NGINX to version 1.19 and implementing the “–enable-annotation-validation” command-line configuration to mitigate CVE-2023-5043 and CVE-2023-5044.
Hirschberg emphasizes the shared root issue behind these vulnerabilities, stating, “Ingress controllers’ inherent access to TLS secrets and Kubernetes API, coupled with their public-facing nature, makes them highly susceptible to external threats entering the cluster.”
In response to the lack of fixes, mitigations have been introduced by the software maintainers, including enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag. These measures aim to prevent the creation of Ingress objects with invalid characters and enforce additional restrictions.
Stay informed and safeguard your Kubernetes cluster from potential risks associated with these critical NGINX Ingress controller vulnerabilities.
