CVE-2021-25745
📋 TL;DR
CVE-2021-25745 is a vulnerability in ingress-nginx where users with permissions to create or update Ingress objects can exploit the path field to obtain the controller's credentials. These credentials typically have access to all secrets in the cluster. This affects Kubernetes clusters using ingress-nginx with default configurations.
💻 Affected Systems
- ingress-nginx
📦 What is this software?
Ingress Nginx by Kubernetes
⚠️ Risk & Real-World Impact
Worst Case
An attacker with Ingress object creation/update permissions could steal the ingress-nginx controller credentials, access all cluster secrets, and potentially compromise the entire Kubernetes environment.
Likely Case
Malicious or compromised users with appropriate RBAC permissions could exfiltrate sensitive secrets, leading to data breaches or lateral movement within the cluster.
If Mitigated
With proper RBAC controls limiting Ingress object permissions and network policies, impact is limited to authorized users who already have significant cluster access.
🎯 Exploit Status
Exploitation requires RBAC permissions to create/update Ingress objects. The vulnerability is well-documented with public proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ingress-nginx 1.2.0 and later
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc
Restart Required: Yes
Instructions:
1. Update ingress-nginx controller to version 1.2.0 or later. 2. Update the ingress-nginx Helm chart if using Helm. 3. Restart the ingress-nginx controller pods. 4. Verify the fix by checking controller logs for successful startup.
🔧 Temporary Workarounds
Restrict Ingress Object Permissions
allLimit RBAC permissions so only trusted administrators can create or update Ingress objects.
kubectl edit clusterrole <role-name>
Remove create/update permissions for Ingress objects from non-admin roles
Use Network Policies
allImplement network policies to restrict ingress-nginx controller pod network access to only necessary services.
kubectl apply -f network-policy.yaml
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can create/update Ingress objects
- Monitor Ingress object creation/modification events and audit logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check ingress-nginx controller version: kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}'Check Version:
kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o ':[0-9.]*'Verify Fix Applied:
Verify ingress-nginx controller is running version 1.2.0 or later and check controller logs for successful startup without path validation errors.📡 Detection & Monitoring
Log Indicators:
- Unauthorized Ingress object creation/modification events
- ingress-nginx controller accessing unexpected secrets
- Failed path validation attempts in controller logs
Network Indicators:
- Unexpected network traffic from ingress-nginx pods to Kubernetes API server
- Unusual secret access patterns from controller IPs
SIEM Query:
source="kubernetes-audit" AND (verb="create" OR verb="update") AND objectRef.resource="ingresses" AND NOT user.username="system:serviceaccount:kube-system:default"🔗 References
- https://github.com/kubernetes/ingress-nginx/issues/8502
- https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc
- https://security.netapp.com/advisory/ntap-20220609-0006/
- https://github.com/kubernetes/ingress-nginx/issues/8502
- https://groups.google.com/g/kubernetes-security-announce/c/7vQrpDZeBlc
- https://security.netapp.com/advisory/ntap-20220609-0006/
