Unprotected Kong Gateway Admin API interface
Description
Kong Gateway is an open-source, lightweight API gateway that includes an internal RESTful Admin API for managing gateway configurations, routes, plugins, and services. This Admin API is designed to be accessible from any node in a Kong cluster and synchronizes configuration changes across all nodes.
This vulnerability occurs when the Kong Gateway Admin API is exposed without proper authentication controls, allowing unauthorized users to access administrative functions. By default, if not properly configured, the Admin API may be accessible over the network without requiring credentials. Best practice dictates that the Admin API should only be accessible from localhost or protected behind strong authentication and network-level access controls.
Remediation
Restrict access to the Kong Gateway Admin API by implementing the following security controls:
1. Bind Admin API to localhost only: Configure Kong to listen on 127.0.0.1 for the Admin API. In your kong.conf file, set:
admin_listen = 127.0.0.1:8001
2. Implement network-level restrictions: If remote access is required, use firewall rules or security groups to whitelist only trusted IP addresses that need administrative access.
3. Enable authentication: Use Kong's RBAC (Role-Based Access Control) plugin for Kong Enterprise, or implement a reverse proxy with authentication (such as nginx with basic auth) in front of the Admin API for open-source versions.
4. Use Kong's Admin API Loopback: Access the Admin API through a secure tunnel (SSH port forwarding or VPN) when remote administration is necessary:
ssh -L 8001:localhost:8001 user@kong-server
5. Regular auditing: Monitor Admin API access logs and implement alerting for unauthorized access attempts.
After implementing these changes, restart Kong Gateway and verify that the Admin API is no longer accessible from unauthorized networks.