{"uuid": "87501354-0ff7-4561-aef1-a5fdd8ca2575", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-1097", "type": "published-proof-of-concept", "source": "https://t.me/tech_b0lt_Genona/5140", "content": "\u0411\u0430\u043b\u0434\u0451\u0436\u043d\u0430\u044f \u0434\u044b\u0440\u0430\n\n\u042f \u043d\u0435 \u0441\u043c\u043e\u0433\u0443 \u0432\u0441\u0451 \u0443\u043c\u0435\u0441\u0442\u0438\u0442\u044c \u0432 \u043f\u043e\u0441\u0442, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043a\u0430\u0442\u0435\u0433\u043e\u0440\u0438\u0447\u0435\u0441\u043a\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u044e \u043f\u0440\u043e\u0439\u0442\u0438 \u043f\u043e \u0441\u0441\u044b\u043b\u043a\u0435 \u043f\u043e\u0447\u0438\u0442\u0430\u0442\u044c. \u0414\u0435\u043c\u043a\u0443 PoC'\u0430 \u043f\u0440\u0438\u0446\u0435\u043f\u0438\u043b \u043a \u043f\u043e\u0441\u0442\u0443.\n\ntl;dr \nOver 40% of cloud environments are vulnerable to RCE, likely leading to a complete cluster takeover\n\nWiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.\n. . .\nThe Vulnerability  \nIngress NGINX deploys an admission controller within its pod, designed to validate incoming ingress objects before they are deployed. By default, admission controllers are accessible over the network without authentication, making them a highly appealing attack vector. \n\nWhen the Ingress-NGINX admission controller processes an incoming ingress object, it constructs an NGINX configuration from it and then validates it using the NGINX binary.  Our team found a vulnerability in this phase that allows injecting an arbitrary NGINX configuration remotely, by sending a malicious ingress object directly to the admission controller through the network.  \n\nDuring the configuration validation phase, the injected NGINX configuration causes the NGINX validator to execute code, allowing remote code execution (RCE) on the Ingress NGINX Controller\u2019s pod. \n\nThe admission controller\u2019s elevated privileges and unrestricted network accessibility create a critical escalation path. Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, that could lead to complete cluster takeover.\n. . .\nMitigation &amp; Detection\n\nFirst, determine if your clusters are using ingress-nginx. In most cases, you can check this by running kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx with cluster administrator permissions.\n\nThis vulnerability is fixed in Ingress NGINX Controller version 1.12.1 and 1.11.5. We strongly recommend that cluster admins: \n\n- Update to the latest version of Ingress NGINX Controller. \n\n- Ensure the admission webhook endpoint is not exposed externally. \n. . .\nFrom Configuration Injection to RCE \n\nWith a reliable file upload to Ingress NGINX Controller\u2019s pod, we can now put it all together to exploit this issue into a full-blown Remote Code Execution. \n\nThe exploit works as follows: \n\n- Upload our payload in the form of a shared library to the pod by abusing the client-body buffer feature of NGINX \n\n- Send an AdmissionReview request to the Ingress NGINX Controller\u2019s admission controller, which contains any one of our directive injections \n\n- The directive we inject is the ssl_engine directive, which will cause NGINX to load the specified file as a shared library \n\n- We specify the ProcFS path to the file descriptor of our payload \n\n- If everything goes well, our shared library is now loaded, and we execute code remotely \nIngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX\nhttps://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities\n+\nAVD-KSV-0041 - Ingress Controller - Cluster Role Allowing Access To All Secrets\nhttps://github.com/kubernetes/ingress-nginx/issues/10778\n\nissue \u0431\u044b\u043b\u0430 \u043e\u0442\u043a\u0440\u044b\u0442\u0430 \u0432 \u0434\u0435\u043a\u0430\u0431\u0440\u0435 2023 \u0433\u043e\u0434\u0430 (\u0431\u044b\u043b\u0430 \u0437\u0430\u043a\u0440\u044b\u0442\u0430 \u0438 \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0435\u0434\u0430\u0432\u043d\u043e \u043f\u0435\u0440\u0435\u043e\u0442\u043a\u0440\u044b\u0442\u0430), \u0430 \u043f\u043e \u0444\u0430\u043a\u0442\u0443 Wiz \u0437\u0430\u0440\u0435\u043f\u043e\u0440\u0442\u0438\u043b \u0431\u0430\u0433\u0438 \u0432 \u0434\u0435\u043a\u0430\u0431\u0440\u0435 2024 \u0442\u043e\u043b\u044c\u043a\u043e. \u0412\u043e\u0442 \u0438 \u0434\u0443\u043c\u0430\u0435\u043c \ud83c\udf1d", "creation_timestamp": "2025-03-25T08:54:56.000000Z"}