Kubernetes Nginx Ingress LFI Attack
Detection of local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers through analysis of Kubernetes logs.
This brief focuses on detecting local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. These attacks are identified by analyzing Kubernetes logs for suspicious patterns indicative of LFI attempts. The detection leverages Kubernetes logs, specifically parsing the request field to identify LFI patterns. Successful exploitation can lead to attackers reading sensitive files from the server, potentially exposing critical information. This activity is significant because it can lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment. The provided detection logic originates from Splunk's security content and is designed to work with Kubernetes logs ingested via Splunk Connect for Kubernetes.
Attack Chain
- Attacker identifies a Kubernetes Nginx ingress controller vulnerable to LFI.
- The attacker crafts a malicious HTTP request containing an LFI payload within the URL. This payload aims to access sensitive files on the server.
- The crafted request is sent to the Kubernetes Nginx ingress controller.
- The Nginx ingress controller processes the request and attempts to access the file specified in the malicious payload.
- If the LFI vulnerability is successfully exploited, the targeted file's contents are exposed to the attacker.
- The attacker retrieves the contents of the sensitive file from the HTTP response.
- The attacker analyzes the exfiltrated file contents for sensitive information, such as credentials or configuration details.
Impact
A successful LFI attack against a Kubernetes Nginx ingress controller can lead to the exposure of sensitive data, potentially including configuration files, credentials, or internal application code. This can lead to further exploitation, such as privilege escalation or lateral movement within the Kubernetes cluster. The number of affected systems and organizations depends on the scope of the vulnerable ingress controllers.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect LFI attempts against Kubernetes Nginx ingress controllers based on suspicious URL patterns and log data.
- Ensure that Kubernetes logs are being ingested through Splunk Connect for Kubernetes, as this is a prerequisite for the detection logic.
- Investigate and remediate any identified LFI vulnerabilities in Kubernetes Nginx ingress controllers to prevent successful exploitation.
- Use the provided drilldown searches to pivot into detection results based on host and risk events.
Detection coverage 2
Kubernetes Nginx Ingress LFI Attempt
highDetects potential Local File Inclusion (LFI) attacks against Kubernetes Nginx Ingress Controllers by identifying suspicious file access patterns in request URLs.
Kubernetes Nginx Ingress LFI - Status Code
mediumDetects LFI attempts resulting in specific status codes indicative of file access issues.
Detection queries are available on the platform. Get full rules →