24 березня 2025 р.
Researchers from Wiz have discovered critical vulnerabilities in the Ingress-NGINX Controller, widely used in Kubernetes clusters to manage incoming traffic. These vulnerabilities, named IngressNightmare, allow attackers to execute arbitrary code within the cluster, potentially compromising the entire system. Let’s examine the details of these vulnerabilities, how they can be exploited, and how to mitigate the risks.
What is the Ingress-NGINX Controller?
Ingress-NGINX is a popular Ingress controller used to manage HTTP(S) traffic within Kubernetes clusters. It enables routing requests to different services and provides access control and security.
However, due to its widespread adoption, it has become a major target for attacks. The controller utilizes an admission controller, responsible for processing incoming Ingress requests before applying them. This component was identified as a weak point, leading Wiz researchers to uncover these critical security flaws.
Vulnerability Overview
CVE-2025-1974 (CVSS 9.8) – Remote Code Execution
This vulnerability allows the attacker to execute an arbitrary code inside the Kubernetes cluster. It occurs due to incorrect processing of user annotations in Ingress objects, which opens up the possibility of injection of malicious commands.
CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 (CVSS 8.8) – Configuration Injection
These vulnerabilities are associated with the processing of incoming annotations in Ingress resources. The attacker can use them to change the routing configuration, which can lead to a data leak or attack type Man-in-The-Middle (MitM).
CVE-2025-24513 (CVSS 4.8) – Path traversal
This vulnerability of moderate severity allows the attacker to access confidential files in the system, bypassing standard security mechanisms.
How attacks work
Attackers can exploit these vulnerabilities by sending specially crafted Ingress objects to the controller, enabling them to:
- Execute arbitrary commands within containers.
- Redirect traffic inside the cluster.
- Extract sensitive data, including authentication tokens and API secrets.
Mitigation strategies
1. Update Ingress-NGINX Controller: Upgrade to version 1.12.1 or 1.11.5 where patches have been applied.
2. Restrict access: Configure network policies to allow access to the admission controller only from the Kubernetes API server.
3. Disable admission controller (Temporary Fix): If updating is not feasible, temporarily disable this component.
4. Monitor and audit: Use Falco, Prometheus, and Kubernetes Audit Logs to detect suspicious activities.
Hance
The detected vulnerabilities in Ingress-Nginx Controller emphasize the importance of the timely update of Kubernetes and related components. It is recommended to immediately take measures to protect clusters, following the above recommendations. Kubernetes safety requires constant control and improvement to avoid potential threats.