Best of 2023: Three Newly-Discovered Kubernetes Ingress Vulnerabilities Create Security Challenge
As we close out 2023, we at Cloud Native Now wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2023.
Three vulnerabilities were disclosed that impact ingress controllers based on open source NGINX software embedded within Kubernetes clusters that make it possible for cybercriminals to potentially redirect traffic, inject arbitrary commands and code and obtain secret credentials of the ingress-nginx controller.
Jimmy Mesta, CTO for Kubernetes Security Operations Center (KSOC), said these three vulnerabilities are problematic because they can not be remediated via a patch or by upgrading to a higher version of Kubernetes. Instead, IT teams need to reconfigure NGINX ingress controllers to make sure that attack paths that these vulnerabilities enable are mitigated. Alternatively, IT teams may opt to replace NGINX ingress controllers with any number of existing alternatives.
In much the same way cloud services can be misconfigured, Mesta said IT teams need to regularly review how various Kubernetes services have been configured to ensure security. Given the complexity of Kubernetes environments, IT teams in general should be applying a microscopic approach to Kubernetes, he added.
Kubernetes security is becoming a bigger concern as more clusters are deployed in production environments. Earlier this year KSOC published a list of the eight Kubernetes vulnerabilities that are most likely to be exploited. The list is based on an Exploit Prediction Scoring System (EPSS) created by FIRST, a community of cybersecurity professionals that provides members with access to a range of collaboration tools and platforms. The EPSS model rates common vulnerabilities and exploits (CVEs) based on factors such as the existence of proofs-of-concept (PoCs), backlinks to the CVE and observed activity.
Most organizations already find it challenging to hire and retain IT professionals with the skills needed to manage Kubernetes clusters. There are even fewer that have Kubernetes security expertise.
There are, of course, multiple ways to remediate vulnerabilities, most of which involve upgrading to newer versions of Kubernetes. The challenge is many organizations continue to run older versions of Kubernetes for fear an upgrade will break many of the applications already deployed because of a dependency on an application programming interface (API) that might no longer be available.
However, it’s only a matter of time before cybercriminals exploit these vulnerabilities, so upgrades and other techniques for mitigating these vulnerabilities should be applied as quickly as possible within the context of a larger DevSecOps workflow. The issue is that most DevSecOps workflows are still relatively immature.
It’s not clear how many of the known Kubernetes vulnerabilities are being exploited, but IT teams should expect more of them to be discovered. The Technical Oversight Committee (TOC) for Kubernetes has conducted security audits, but as more cybersecurity researchers become familiar with the platform, there will undoubtedly be more issues discovered not just in Kubernetes clusters but across the entire stack of software deployed on top of the clusters. In many instances, the software deployed on top of Kubernetes clusters is just as complex as Kubernetes itself.
The challenge, as always, is to make sure the organization as a whole is prepared to remediate those issues as quickly as possible versus waiting until the inevitable incident occurs.
