This Week in Security: IngressNightmare, NextJS, and Leaking DNA
In a recent series of vulnerabilities, researchers from Wiz Research exposed multiple issues with the Kubernetes Ingress NGINX Controller that could allow an unauthorized attacker to take control of a cluster. Dubbed "IngressNightmare," these chained vulnerabilities were present in over 6,500+ Kubernetes installations on the public Internet.
So, what's behind this chaos? Web applications running on Kubernetes need some way for outside traffic to reach the cluster. One popular solution is the Ingress NGINX Controller, which takes incoming requests and routes them to the correct place in the Kubernetes pod. Sounds straightforward, right? Well, not quite.
The admission controller is a web endpoint without authentication, making it easily accessible from within the cluster or even the open Internet. This was just the beginning of the problems. The Ingress Controller itself had multiple vulnerabilities that allowed raw NGINX config statements to be passed through into the config to be tested. And then there's nginx -t
-t, the command-line interface for testing and debugging. When used incorrectly, it can lead to a Remote Code Execution (RCE) vulnerability.
But wait, there's more! The default postgres database on a default Appsmith install allows local connections to any user, making it vulnerable to pseudo-unauthenticated RCEs. This means that even without proper permissions, an attacker could potentially run arbitrary bash code on the server.
On the bright side, some companies are taking steps to protect their customers' DNA data. For instance, 23andMe has filed for Chapter 11 bankruptcy, raising concerns about what happens to user data once the company is sold. To address this, customers are being advised to log in and request their data be deleted.
Appsmith, another platform under scrutiny, revealed a series of CVEs (Common Vulnerabilities and Exposures) that highlight issues with error handling, SQL injection vulnerabilities, and pseudo-unauthenticated RCEs. While not all of these vulnerabilities are severe, they're still enough to raise concerns about data security.
Finally, Troy Hunt, the master of pwned passwords, was recently targeted by a phishing attack. His haveibeenpwned.com service was used to inform him of his compromised email address, serving as a reminder that even the best of us can fall victim to cyber attacks.
A Blast from the Past: The BLASTPASS Exploit
Google's Project Zero team recently conducted an in-depth analysis of the BLASTPASS exploit, a 2003 NSO Group vulnerability used against iMessage on iOS devices. This exploit utilized a Huffman tree decompression vulnerability to trigger code execution.
The findings from this analysis are both impressive and sobering, highlighting the importance of keeping software up-to-date and being vigilant about potential security threats.
BlackLock Ransomware Group Hacked
Resecurity researchers successfully cracked the infrastructure of the BlackLock ransomware group by exploiting a vulnerability in their Data Leak Site. The result was a treasure trove of stolen data, including server history logs, email addresses, passwords, and IP address records.
A Phishing Attack on Troy Hunt
Troy Hunt, the renowned expert on pwned passwords, fell victim to a phishing attack. His haveibeenpwned.com service was used to notify him of his compromised email address, serving as a reminder that cyber attacks can happen to anyone.
It's time for us all to be kind and take cybersecurity seriously. Whether you're a seasoned expert or just starting out, there's always something new to learn.