Kubernetes: Compromise of auth via subset/superset namespace names.

Report Submission Form

Summary:

Use of nginx.ingress.kubernetes.io/auth* annotations results in a file named {namespace}-{ingress}.passwd. If user knows the namespace and ingress of an ingress they want to compromise they need to be able to create a namespace that is some subset of {namespace}-{ingress}. Then they create an ingress with the remainder of the name and a passwd file of their choosing, this overwrites the other namespace’s passwd file and effectively removes the auth layer provided by nginx ingress.

Kubernetes Version:

$ kubectl version
Client Version: version.Info{Major:“1”, Minor:“16+”, GitVersion:“v1.16.5-beta.0”, GitCommit:“224be7bdce5a9dd0c2fd0d46b83865648e2fe0ba”, GitTreeState:“archive”, BuildDate:“2019-12-31T22:42:08Z”, GoVersion:“go1.12.13”, Compiler:“gc”, Platform:“linux/amd64”}
Server Version: version.Info{Major:“1”, Minor:“16”, GitVersion:“v1.16.2”, GitCommit:“c97fe5036ef3df2967d086711e6c0c405941e14b”, GitTreeState:“clean”, BuildDate:“2019-10-15T19:09:08Z”, GoVersion:“go1.12.10”, Compiler:“gc”, Platform:“linux/amd64”}

Installed via kubeadm on gentoo (though I don’t think this is relevant to vulnerability).

Component Version:

quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1

Steps To Reproduce:

1. Install nginx ingress
2. Create namespace a and ingress b-c within a with an auth annotation.
3. Create namespace a-b and ingress c within a-b with an auth annotation that overrides the passwd file from #2.
4. Auth to ingress on a/b-c is now governed by the htpasswd file generated for a-b/c.

Suggested Resolution:

1. Change line 141 of internal/ingress/annotations/auth/main.go to %v/%v/%v.
2. Create folder to go along with.
3. Check that the folder and file will actually be in the right location (… is allowed as a namespace).

Impact

Attacker can override the htpasswd file of another ingress effectively neutralizing the http authentication.