Zalando Skipper Ingress Controller ExternalName Service Exposure Vulnerability

A vulnerability exists in Zalando Skipper versions prior to 0.24.0, when used as an Ingress controller. It allows users with the right permissions to create Ingress resources and Services of type ExternalName to route traffic through Skipper's network access to internal services. This could lead to unauthorized access to those services.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal services via Skipper's network, potentially exposing sensitive data or functionality.

Reproduction

To reproduce this vulnerability, deploy Zalando Skipper as an Ingress controller on a Kubernetes cluster. Create a Service of type ExternalName that points to an external DNS name. Then, create an Ingress resource that references this ExternalName service. When Skipper processes the Ingress, it will route traffic to the internal service specified by the ExternalName, bypassing normal access controls.

Remediation

Users can upgrade to Skipper version 0.24.0 or later, where this vulnerability is fixed. If upgrading is not possible, ExternalName services can be disabled in Skipper's Ingress controller configuration. For users who need to use ExternalName services, Skipper provides options to allow list specific ExternalName targets.