# Ingress-NGINX Critical Vulnerability (CVSS 98) Exposes Kubernetes Secrets

By /

Listen to this Post

Wiz Research has uncovered a critical vulnerability (CVSS 9.8) in Ingress-NGINX, a core Kubernetes component used in over 40% of cloud environments. This flaw allows attackers to access all secrets across all namespaces, potentially leading to a full cluster takeover.

Key Details

  • Affected Versions: All Ingress-NGINX versions before v1.12.1 and v1.11.5.
  • Attack Vector: Exploits a misconfiguration in Ingress-NGINX controller permissions.
  • Impact: Unauthorized access to cluster secrets, configmaps, and sensitive data.

🔗 Full Technical Analysis: Wiz Research Blog

You Should Know: How to Mitigate & Secure Your Cluster

1. Immediate Patching

Upgrade to the latest patched version:


<h1>For Helm users</h1>

helm upgrade ingress-nginx ingress-nginx/ingress-nginx --version 4.10.0

<h1>For direct kubectl users</h1>

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.1/deploy/static/provider/cloud/deploy.yaml

### **2. Verify Permissions**

Check if your Ingress-NGINX has excessive RBAC permissions:

kubectl get clusterrole ingress-nginx -o yaml

Ensure it **does not** include:

rules: 
- apiGroups: [""] 
resources: ["secrets", "configmaps"] 
verbs: ["*"]

### **3. Restrict Access with Network Policies**

Block unauthorized access to Ingress-NGINX:

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
name: restrict-ingress-access 
spec: 
podSelector: 
matchLabels: 
app.kubernetes.io/name: ingress-nginx 
ingress: 
- from: 
- namespaceSelector: 
matchLabels: 
name: allowed-namespace

### **4. Rotate Exposed Secrets**

If compromised, **rotate all cluster secrets**:

kubectl get secrets --all-namespaces -o json | jq '.items[].metadata.name' | xargs -I {} kubectl delete secret {} --all-namespaces

### **5. Audit Logs for Suspicious Activity**

Check for unauthorized access attempts:

kubectl logs -l app.kubernetes.io/name=ingress-nginx --tail=1000 | grep "unexpected"

## **What Undercode Say**

This vulnerability highlights the risks of over-permissive RBAC roles in Kubernetes. Always:
Follow Least Privilege Principle
Regularly Audit Cluster Roles
Monitor Ingress Controller Logs
Use Admission Controllers (e.g., OPA Gatekeeper)

### **Expected Output:**

A secure Kubernetes cluster with restricted Ingress-NGINX permissions, patched to v1.12.1/v1.11.5, and rotated secrets if exposed.

🔗 Reference: Kubernetes Security Best Practices

References:

Reported By: Cohen Ofir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: