A vulnerability has been discovered in Ingress-nginx [1], identified as CVE-2022-4886. This vulnerability allows an attacker to steal Kubernetes API credentials by controlling the Ingress object [1]. The vulnerability arises when the ingress controller has access to all secrets in the cluster [1]. This article provides a detailed description of the vulnerability and suggests mitigation strategies.
Description
The vulnerability in Ingress-nginx is related to the usage of the “path” field in the Ingress routing definitions. The vulnerable application fails to properly validate the inner path [1], which enables it to point to the internal file containing the service account token used for authentication against the API server [1].
Mitigation for this vulnerability depends on the Ingress rules used by the operator [1]. If the rule has “pathType” set to “Exact” or “Prefix” [1], enabling the “strict-validate-path-type” option from nginx-ingress-controller version 1.18 can help mitigate the vulnerability. For “pathType” set to “ImplementationSpecific” [1], a mitigation involves using an admission controller policy to filter out malicious paths [1]. An example of such a policy can be found at https://kubernetes.github.io/ingress-nginx/examples/openpolicyagent/ [1].
To address this vulnerability [4], it is recommended to update NGINX to version 1.19 and add the “–enable-annotation-validation” command-line configuration, as this resolves related vulnerabilities. Additionally, enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag can provide further mitigation [3].
Conclusion
This vulnerability highlights the potential risks associated with ingress controllers, which often face external traffic entering the cluster [3]. The severity of this vulnerability is rated as 6.7 (Medium) [4]. It is important for operators to implement the recommended mitigations to protect against potential attacks. Armosec has published a comprehensive report on these vulnerabilities [2], which provides detailed information about NGINX’s disclosure on GitHub [2].
References
[1] https://securityboulevard.com/2023/10/three-new-nginx-ingress-controller-vulnerabilities-reported-and-how-they-affect-kubernetes/
[2] https://cyberaffairs.com/news/nginx-ingress-security-flaw-attackers-kubernetes-api-server/
[3] https://thehackernews.com/2023/10/urgent-new-security-flaws-discovered-in.html
[4] https://cybersecuritynews.com/nginx-ingress-vulnerability/
