A New Deadly Combination in Nginx

By Moshe Hassan

Nov 03, 2023

Recently a deadly combination of vulnerabilities emerged, posing a severe threat to Kubernetes clusters utilizing Ingress-Nginx. By exploiting three critical vulnerabilities:

  • CVE-2022-4886: the path field sanitization can be bypassed and ingress-nginx  credentials can be obtained
  • CVE-2023-5044: Code injection via ‘permanent-redirect’ annotation
  • CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution

attackers can execute arbitrary code and escalate privileges, all with access to the Nginx Annotation object. These vulnerabilities have been confirmed in both NGINX and Kubernetes/Ingress-Nginx, as reported by Google and various GitHub issues.

Ingress-Nginx Controller: A Cornerstone of Kubernetes Networking

The Ingress-Nginx controller is a component in Kubernetes, leveraging NGINX as a reverse proxy and load balancer. This controller streamlines the management of incoming traffic, directing it to the right services in your cluster. Ingress-Nginx enables secure communication. With the power of NGINX, Ingress-Nginx offers a strong foundation for managing ingress traffic in your Kubernetes setup.

Annotations: Customizing Ingress-Nginx Behavior

Annotations in Kubernetes are digital markers that add metadata to objects. They enhance configuration management and aid in ensuring seamless communication between application components. Annotations in the Ingress-Nginx controller allow you to customize its behavior. These notes, embedded in your configuration, act as guidelines that help the controller manage incoming web traffic and set security rules. While annotations offer clear benefits, they can also be difficult to secure, with misconfigurations posing significant security risks.

Nginx CVE Review

  • CVE-2023-5044 and CVE-2023-5043: These vulnerabilities allow attackers to steal sensitive credentials from the cluster by manipulating the Ingress object configuration. By default, these secrets include highly privileged credentials for the Kubernetes API server. The combination of these vulnerabilities enables attackers to inject arbitrary code into the Ingress controller process using the configuration-snippet (CVE-2023-5043) or permanent-redirect (CVE-2023-5044) annotation fields. This injected code grants access to the Ingress controller’s service account token, associated with a ClusterRole allowing access to all Kubernetes secrets within the cluster.
  • CVE-2022-4886: This vulnerability exposes a critical flaw in the way Ingress-Nginx handles the path field within Ingress routing definitions. When an attacker manipulates this vulnerable path field, they can redirect requests to an internal file containing the service account token, a client credential used for authentication against the Kubernetes API server.
    • By crafting a malicious path parameter, an attacker can orchestrate a route that points to the internal file housing the service account token.
    • Once the attacker gains control of the Ingress object, they can exploit this misconfiguration to steal the Kubernetes API credentials from the Ingress controller. With these credentials in hand, the attacker gains unauthorized access to all secrets within the cluster.

Upwind’s research team has discovered numerous instances where both NGINX and Ingress-Nginx configurations possessed permissions to extract sensitive secrets, posing a substantial risk to Upwind customers. In response, our research team meticulously analyzed these vulnerabilities and proactively notified Upwind users, ensuring they were informed and equipped to safeguard their systems against potential exploits.

Nginx Attack Path Scenarios

  • In multi-tenant clusters, attackers exploit Ingress object vulnerabilities, compromising the entire cluster through escalated privileges.
  • Compromised supply chains and tainted configurations allow malicious actors to inject code, endangering users deploying these setups.
  • Tainted online examples from untrusted sources create deceptive entry points, necessitating heightened security in Kubernetes environments. Using configuration samples from the web or ChatGPT can expose users to tainted setups, elevating the risk of exploitation.
  • Malicious Helm charts in supply chains enable unauthorized access, especially in multi-tenant clusters, where attackers manipulate Ingress objects within their namespaces.
  • Insiders with configuration change rights but no direct cluster access pose threats, emphasizing the importance of securing internal permissions effectively.

How To Fix Nginx CVEs

This deadly combination requires immediate action. You can remediate Nginx CVEs by doing the following:

  • If you are using the out-of-the-box Kubernetes Ingress-Nginx controller, upgrade to version 1.9 or above to patch all vulnerabilities.
  • If you are utilizing Helm charts, update to version 4.8.3 to ensure protection against all three vulnerabilities.
  • For users employing pure NGINX, upgrading to version 1.19 or above is essential to safeguard against potential attacks.

Additionally, In the ingress-nginx controller deployment consider using the following flag in the Args section to mitigate vulnerabilities:

apiVersion: v1
kind: Pod
metadata:
  labels:
    ...
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  containers:
  - args:
    - /nginx-ingress-controller
 ...
### Append the flag inside the args section ###
    - -–enable-annotation-validation
### 
...

Copied


If your rule includes pathType values Exact or Prefix enable the strict-validate-path-type option from nginx-ingress-controller version 1.18 and above.

Upwind’s Response to Nginx Vulnerabilities

Upon learning about the Nginx vulnerabilities, Upwind’s research team was able to rapidly research and identify where these toxic combinations exist in our customers’ environments and notify them for immediate remediation. 

Going beyond the research team, the Upwind platform also identifies toxic combinations like Nginx using the following:

  • Vulnerability funnel: prioritize vulnerabilities by using context such as if they are in-use, actively loaded in memory or exposed to the Internet
  • Topology map: automatically see which resources are receiving Internet ingress or egress communication and identify any abnormal resource communication
  • Inventory management: easily search for image names or versions to rapidly identify vulnerable images in your environment and perform needed upgrades 

Find Nginx Vulnerabilities 

For further information on Nginx vulnerabilities or for assistance identifying critical vulnerability exposures in your environment within minutes, please ping us at [email protected].

A New Deadly Combination in Nginx

Further Reading

Research

Understanding Kubernetes Identities, Part 1

By Eliad Mualem

Jul 16, 2024

When it comes to Kubernetes, managing identities is pivotal for ensuring secure and efficient cluster operations. These identities can be human users or machines, each requiring specific permissions to perform their tasks. In our latest research, we have explored what Kubernetes identities are, the default identities, the permissions they can have, how to configure these […]

Research

Upwind Discovers New ArgoCD CVE-2024-37152 & Takes Over a Kubernetes Cluster

By Moshe Hassan

Jul 08, 2024

The Upwind research team is constantly monitoring the evolving threat landscape for emerging threats and vulnerabilities, and we recently discovered a new Unauthenticated Access vulnerability in ArgoCD – CVE-2024-37152. While this is only a moderate CVE, our research team found it as part of a toxic combination that included internet exposure. This combination permitted unauthorized […]

Research

GitLab Releases Critical CVEs Batch

By Moshe Hassan

Jul 01, 2024

GitLab has released crucial updates for both its Community Edition (CE) and Enterprise Edition (EE) with versions 17.1.1, 17.0.3, and 16.11.5. These updates address multiple high-severity security vulnerabilities, and all GitLab installations must be upgraded to these versions immediately. GitLab.com is already running the patched versions. Run Pipelines as Any User (CVE-2024-5655) This flaw allows […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2024, Upwind Security