Ingress Nightmare: Critical RCE Vulnerabilities in Ingress NGINX (CVSS )

By /

Listen to this Post

A series of unauthenticated Remote Code Execution (RCE) vulnerabilities have been discovered in the Ingress NGINX Controller, threatening Kubernetes environments. Attackers can exploit these flaws to gain unauthorized access to secrets across all namespaces, potentially leading to a complete cluster takeover.

Why This Is Critical

  • The Ingress NGINX Controller’s admission webhook is exposed without authentication.
  • Attackers can inject malicious NGINX configurations via crafted ingress objects.
  • The controller runs with high privileges, enabling full cluster compromise.

How to Detect & Mitigate

1. Check if your cluster uses Ingress NGINX:

kubectl get pods -n ingress-nginx

2. Verify admission webhook exposure:

kubectl get validatingwebhookconfigurations -o yaml | grep "ingress-nginx"

3. Patch immediately: Upgrade to Ingress NGINX Controller v1.12.1 or v1.11.5.

You Should Know: Hardening Steps

  • Restrict admission webhook access: 
    kubectl patch validatingwebhookconfigurations ingress-nginx -p '{"webhooks":[{"name":"validate.nginx.ingress.kubernetes.io","clientConfig":{"service":{"namespace":"ingress-nginx","name":"ingress-nginx-controller-admission"}}}]}'
  • Monitor for suspicious ingress objects: 
    kubectl get ingress --all-namespaces -o yaml | grep "malicious-pattern"
  • Revoke unnecessary permissions: 
    kubectl auth can-i --list --as=system:serviceaccount:ingress-nginx:default

Expected Commands for Incident Response

  • Check for active exploits: 
    kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=100 | grep "eval"
  • Isolate compromised pods: 
    kubectl delete pod -n ingress-nginx <malicious-pod> --grace-period=0 --force
  • Rotate exposed secrets: 
    kubectl get secrets --all-namespaces -o name | xargs -n1 kubectl rotate

What Undercode Say

This exploit underscores the importance of default-deny policies in Kubernetes. Always:
– Restrict admission webhooks to internal traffic.
– Use Network Policies to limit pod communication: 

kubectl apply -f - <<EOF 
apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
name: deny-ingress-nginx-external 
namespace: ingress-nginx 
spec: 
podSelector: {} 
policyTypes: ["Ingress"] 
ingress: 
- from: 
- namespaceSelector: 
matchLabels: 
name: kube-system 
EOF

– Audit RBAC roles regularly: 

kubectl get roles,clusterroles --all-namespaces

References

Ingress NGINX Patch Details
CVE Analysis

Expected Output:

Cluster secured with patched Ingress NGINX, admission webhook restricted, and secrets rotated.

References:

Reported By: Javier Ramirez – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: