CVE-2021-25748: Ingress-Nginx Security Issue Allowing Unauthorized Access to Cluster Secrets

A critical security vulnerability (CVE-2021-25748) has been discovered in ingress-nginx, a popular ingress controller for Kubernetes. This vulnerability allows a malicious user with access to create or update ingress objects to bypass sanitization and potentially gain unauthorized access to all secrets within the cluster. This post will provide an overview of the exploit, code snippets to demonstrate the issue, and links to original references for further information.

Vulnerability Details

The CVE-2021-25748 security issue was found in ingress-nginx controller, in versions .29. to v.44. (inclusive), and more specifically in the sanitization of the spec.rules[].http.paths[].path field of an Ingress object.

Using a newline character (\n), a user with the ability to create or update ingress objects can bypass the sanitization process and inject extra headers into the request. This can lead to unauthorized access to the ingress-nginx controller's credentials. In default configurations, these credentials allow access to all secrets in the cluster, making this a critical vulnerability.

The malicious user can craft an Ingress object, as shown below

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cve-2021-25748-exploit
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: "/\nBreak-Header: compromised"
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

In this example, the malicious user injects the Break-Header: compromised header into the request by inserting a newline character after the /, effectively bypassing the sanitization process.

Once the compromised ingress object is created, the vulnerability can be exploited by sending crafted requests to that ingress. When the ingress-nginx controller processes the request, it can leak the credential and allow unauthorized access to cluster secrets.

Mitigation

It is recommended to upgrade the ingress-nginx controller to a patched version (v.45. or higher), as they contain a fix for this vulnerability. You can find the patched versions on the ingress-nginx GitHub releases page.

References

For more information and the latest updates on this vulnerability, please refer to the following links:

- CVE-2021-25748 Reference
- Ingress-Nginx GitHub Repository
- Ingress-Nginx Upgrade Guide

Conclusion

CVE-2021-25748 is a critical security vulnerability discovered in ingress-nginx. It is essential for Kubernetes administrators to promptly apply the mitigation steps and update the ingress-nginx controller to a fixed version to prevent unauthorized access to cluster secrets. Always stay informed of the latest security updates to keep your clusters and applications secure.

Timeline

Published on: 05/24/2023 17:15:00 UTC
Last modified on: 06/01/2023 20:44:00 UTC