A critical security vulnerability (CVE-2024-7646) has been discovered in ingress-nginx, a popular ingress controller for Kubernetes. This vulnerability allows an attacker with permission to create Ingress objects in the networking.k8s.io or extensions API group to bypass annotation validation and inject arbitrary commands, ultimately leading to the exposure of the credentials of the ingress-nginx controller. In the default configuration, these credentials have access to all secrets in the cluster, putting your sensitive data at risk.

The vulnerability is demonstrated in the following code snippet

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: 'nginx; echo "Hello, World!" >> /tmp/hello.txt;'
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: test-service
          servicePort: 80

In the above snippet, the Ingress object is created with an annotation containing a semicolon followed by a shell command. This command injection bypasses the annotation validation and leads to the execution of the arbitrary command as the ingress-nginx controller.

Original References

More details about the vulnerability, including methods of mitigation, can be found in the following official references:

1. GitHub Issue - CVE-2024-7646: Bypass of annotation validation in ingress-nginx
2. Ingress-nginx Security: Unauthorized Access to Cluster Secrets Using Ingress

Access to a Kubernetes cluster where the ingress-nginx controller is running.

2. Permission to create and modify Ingress objects in the networking.k8s.io or extensions API group.

Upon successfully bypassing annotation validation and injecting arbitrary commands, the attacker will be able to gain ingress-nginx controller credentials, which in the default configuration, gives access to all the secrets in the cluster. This could lead to unauthorized access to sensitive data, such as passwords and API keys.

Mitigation and Prevention

1. Ensure that you are using the latest version of ingress-nginx, as the vulnerability has been fixed in recent versions.
2. Restrict the permissions of users and service accounts that can create and modify Ingress resources in your Kubernetes cluster.
3. Regularly audit your Kubernetes cluster and Ingress objects for any signs of unauthorized access or modifications.

Take immediate action to review your Kubernetes cluster and apply necessary updates or patches to prevent unauthorized access to your ingress-nginx controller and cluster secrets. This CVE-2024-7646 security vulnerability is a critical issue that demands your attention, so ensure your systems are protected and your sensitive data remains secure.

Timeline

Published on: 08/16/2024 18:15:10 UTC
Last modified on: 08/19/2024 16:35:33 UTC