Critical Ingress NGINX Controller Vulnerabilities Expose Kubernetes Clusters to Remote Code Execution
A set of five critical security vulnerabilities have been disclosed in the Ingress NGINX Controller for Kubernetes, potentially allowing unauthenticated remote code execution (RCE). This flaw puts over 6,500 clusters at immediate risk, particularly those with the component exposed to the public internet.
IngressNightmare: A Severe Security Threat
The vulnerabilities, collectively named IngressNightmare by cloud security firm Wiz, have been assigned the following CVEs with a CVSS score of up to 9.8:
CVE-2025-24513 (CVSS: 4.8) – Improper input validation allows directory traversal, leading to denial-of-service (DoS) or limited secret object disclosure.
CVE-2025-24514 (CVSS: 8.8) – The
auth-url
Ingress annotation enables NGINX configuration injection, resulting in arbitrary code execution and secret disclosure.CVE-2025-1097 (CVSS: 8.8) – The
auth-tls-match-cn
Ingress annotation allows NGINX configuration injection, leading to arbitrary code execution and secret exposure.CVE-2025-1098 (CVSS: 8.8) – The
mirror-target
andmirror-host
annotations permit arbitrary configuration injection, causing remote code execution and secret disclosure.CVE-2025-1974 (CVSS: 9.8) – An unauthenticated attacker with pod network access can execute arbitrary code in the ingress-nginx controller, potentially leading to a full cluster takeover.
How the Exploit Works
Ingress NGINX Controller leverages NGINX as a reverse proxy and load balancer, allowing external HTTP and HTTPS traffic into Kubernetes services. The attack abuses admission controllers, which are accessible over the network without authentication.
Attack Chain:
An attacker uploads a malicious payload as a shared library using the NGINX client-body buffer feature.
The attacker sends an AdmissionReview request with a configuration injection to the admission controller.
The injected directive causes the shared library to load, leading to remote code execution within the ingress-nginx controller.
With high-privileged service accounts, the attacker gains access to Kubernetes secrets across namespaces, potentially compromising the entire cluster.
Who Is Affected?
According to Wiz, approximately 43% of cloud environments using the Ingress NGINX Controller are vulnerable. However, it is important to note that the NGINX Ingress Controller (a separate implementation for NGINX and NGINX Plus) is not affected.
Mitigation and Recommended Actions
The Kubernetes Security Response Committee has released patches in the following Ingress NGINX Controller versions:
1.12.1
1.11.5
1.10.7
Immediate Steps:
Update Immediately: Upgrade to the latest patched version of Ingress NGINX Controller.
Restrict Admission Controller Access: Ensure that only the Kubernetes API Server can communicate with the admission controller.
Disable Admission Controller (if unnecessary): If your setup does not require the admission controller, consider disabling it temporarily.
Prevent External Exposure: Avoid exposing the admission webhook endpoint to external networks.
No comments:
Post a Comment