CVE-2021-25745: Ingress-nginx path can be pointed to service account token file
#8502
Comments
k8s-ci-robot
added
needs-triage
cjcullen
changed the title
path can be pointed to service account token file
|
Should the invalidSecretsDir regex be updated to bash-5.1$ ls -l /var/run
lrwxrwxrwx 1 root root 4 Apr 4 16:07 /var/run -> /run
bash-5.1$ ls -l /run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx 1 root root 13 Apr 22 17:44 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Apr 22 17:44 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Apr 22 17:44 token -> ..data/token
bash-5.1$ Updating the regex to |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
|
@cjcullen , I am trying to experience this exploit in a instance of the ingress-nginx-controller, with chroot enabled on the nginx process. Can you help me gt a example value for the spec |
|
We were recently notified about this CVE. I see this seems to be fixed in v1.2.0. |
|
@foxylion yes, we are providing a Kyverno policy in the above linked PR (kyverno/policies#302) |
|
@chipzoller This is only an alternative, if I can't update, correct? |
|
As the rules for deep inspect are hard-coded in the code. |
|
@bmv126 this was discussed in the last community meeting. Maintainers were aware of this and are working on it from even before the issue was created or maybe even before the CVE was published. The controller v1.20 introduces capability to jail/charoot the nginx process so it has been tested that the obvious use case of getting a shell, by breaking out of the nginx process, will land the actor in a jailed/chrooted shell, if at all. That is one layer of protection. If you want to discuss further, it was reported that users can use this link https://github.com/kubernetes/ingress-nginx/blob/main/SECURITY.md and be discreet about putting sensitive info in public places. You could also reach out to maintainers without including groups in such communication, so as to reduce the radius for info spread. |
ghost
mentioned this issue
|
@bmv126 can you please open a PR adding the new rules? As the main code to fix this is shipped, I'm going to close this issue but I have some additional rules myself I want to add as well :) /close |
|
@rikatz: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Issue Details
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the
spec.rules[].http.paths[].pathfield of an Ingress object (in thenetworking.k8s.ioorextensionsAPI group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25745.
Affected Components and Configurations
This bug affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running
kubectl get po -n ingress-nginx.Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue.
Affected Versions
Fixed Versions
Mitigation
If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the
spec.rules[].http.paths[].pathfield on thenetworking.k8s.io/Ingressresource to known safe characters (see the newly added rules, or the suggested value for annotation-value-word-blocklist).Detection
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See ingress-nginx Issue #8502 for more details.
Acknowledgements
This vulnerability was reported by Gafnit Amiga.
Thank You,
CJ Cullen on behalf of the Kubernetes Security Response Committee
The text was updated successfully, but these errors were encountered: