Multiple vulnerabilities in Ingress-NGINX Controller for Kubernetes

1) OS Command Injection

EUVDB-ID: #VU82556

Risk: Medium

CVSSv3.1: 6.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-5043

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote user to execute arbitrary commands on the target system.

The vulnerability exists due to improper input validation in the nginx.ingress.kubernetes.io/configuration-snippet annotation. A remote user can pass specially crafted data to the application, execute arbitrary OS commands and obtain the credentials of the ingress-nginx controller.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Ingress-NGINX Controller for Kubernetes: 1.0.0 - 1.8.4

External links

http://github.com/kubernetes/ingress-nginx/issues/10571
http://groups.google.com/g/kubernetes-security-announce/c/pVsXsOpxYZo
http://www.openwall.com/lists/oss-security/2023/10/25/4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Code Injection

EUVDB-ID: #VU82557

Risk: Medium

CVSSv3.1: 6.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-5044

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the nginx.ingress.kubernetes.io/permanent-redirect annotation on an Ingress object. A remote user can send a specially crafted request, inject arbitrary commands, and obtain the credentials of the ingress-nginx controller.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Ingress-NGINX Controller for Kubernetes: 1.0.0 - 1.8.4

External links

http://github.com/kubernetes/ingress-nginx/issues/10572
http://groups.google.com/g/kubernetes-security-announce/c/ukuYYvRNel0
http://www.openwall.com/lists/oss-security/2023/10/25/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Input validation error

EUVDB-ID: #VU82559

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-4886

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user who can create or update ingress objects can use directives to bypass the sanitization of the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Ingress-NGINX Controller for Kubernetes: 1.0.0 - 1.7.1

External links

http://github.com/kubernetes/ingress-nginx/issues/10570
http://groups.google.com/g/kubernetes-security-announce/c/ge7u3qCwZLI
http://www.openwall.com/lists/oss-security/2023/10/25/5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.