Carding 4 Carders
Professional
No fixes have been released yet. Who knows how many hackers managed to exploit the identified vulnerabilities.
Cybersecurity experts have identified three uncorrected vulnerabilities of high criticality in the NGINX inbound traffic controller. Zero-day flaws can lead to leaks of credentials and other secrets from Kubernetes clusters.
The identified issues were disclosed on October 27 and were designated CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886 . It is not yet clear if they were used in actual attacks and when the fix will be released.
All three vulnerabilities affect the NGINX Ingress Controller, used in Kubernetes as a reverse proxy and load balancer, up to and including version 1.9.0.
The first two vulnerabilities, CVE-2023-5043 and CVE-2023-5044, are related to insufficient verification of input data and can lead to the introduction of arbitrary code, obtaining privileged credentials, and stealing all cluster secrets. Both issues have a CVSS vulnerability score of 7.6 out of 10.
The Kubernetes Security Response Committee recommends that Ingress administrators use the "--enable-annotation-validation " flag to enhance validation of the contents of ingress-nginx annotation fields as a precautionary measure.
The third vulnerability, CVE-2022-4886, is rated higher — 8.8 on the CVSS scale. This problem can be exploited when creating or updating Ingress objects, allowing attackers to gain access to Kubernetes API credentials from the Ingress controller and, consequently, steal all cluster secrets. It affects versions up to and including 1.8.0.
Mitigation of this vulnerability depends on the configuration of the "pathType" field, which defines the proxy behavior. According to the information provided, when configuring "pathType" as "Exact" or "Prefix", you should block any Ingress with invalid characters:
"When configuring 'pathType' as 'Exact' or 'Prefix', a stricter check is applied, allowing only paths starting with the ' / 'character and containing only alphanumeric characters, as well as ' -', ' _ ' and additional '/' characters," the experts explain.
If" pathType "is set to" ImplementationSpecific", then administrators are encouraged to set a policy that blocks malicious paths, as shown in the Open Policy Agent example .
The security of Ingress controllers is particularly worrisome, as they inherently have access to TLS and Kubernetes API secrets, making them privileged workloads. Given their importance as Internet-facing components, the risk of external attacks increases significantly.
Ben Hirschberg, co-founder and Chief Technology Officer of Kubernetes security firm Armo, points out: "All of these vulnerabilities point to the same underlying problem that requires immediate attention from cybersecurity professionals."
Cybersecurity experts have identified three uncorrected vulnerabilities of high criticality in the NGINX inbound traffic controller. Zero-day flaws can lead to leaks of credentials and other secrets from Kubernetes clusters.
The identified issues were disclosed on October 27 and were designated CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886 . It is not yet clear if they were used in actual attacks and when the fix will be released.
All three vulnerabilities affect the NGINX Ingress Controller, used in Kubernetes as a reverse proxy and load balancer, up to and including version 1.9.0.
The first two vulnerabilities, CVE-2023-5043 and CVE-2023-5044, are related to insufficient verification of input data and can lead to the introduction of arbitrary code, obtaining privileged credentials, and stealing all cluster secrets. Both issues have a CVSS vulnerability score of 7.6 out of 10.
The Kubernetes Security Response Committee recommends that Ingress administrators use the "--enable-annotation-validation " flag to enhance validation of the contents of ingress-nginx annotation fields as a precautionary measure.
The third vulnerability, CVE-2022-4886, is rated higher — 8.8 on the CVSS scale. This problem can be exploited when creating or updating Ingress objects, allowing attackers to gain access to Kubernetes API credentials from the Ingress controller and, consequently, steal all cluster secrets. It affects versions up to and including 1.8.0.
Mitigation of this vulnerability depends on the configuration of the "pathType" field, which defines the proxy behavior. According to the information provided, when configuring "pathType" as "Exact" or "Prefix", you should block any Ingress with invalid characters:
"When configuring 'pathType' as 'Exact' or 'Prefix', a stricter check is applied, allowing only paths starting with the ' / 'character and containing only alphanumeric characters, as well as ' -', ' _ ' and additional '/' characters," the experts explain.
If" pathType "is set to" ImplementationSpecific", then administrators are encouraged to set a policy that blocks malicious paths, as shown in the Open Policy Agent example .
The security of Ingress controllers is particularly worrisome, as they inherently have access to TLS and Kubernetes API secrets, making them privileged workloads. Given their importance as Internet-facing components, the risk of external attacks increases significantly.
Ben Hirschberg, co-founder and Chief Technology Officer of Kubernetes security firm Armo, points out: "All of these vulnerabilities point to the same underlying problem that requires immediate attention from cybersecurity professionals."
