CVE-2021-25745 Overview
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
Critical Impact
An attacker with privileges to create or update Ingress objects can exploit this vulnerability to steal ingress-nginx controller credentials, potentially gaining access to all Kubernetes secrets cluster-wide.
Affected Products
- Kubernetes ingress-nginx
Discovery Timeline
- May 6, 2022 - CVE CVE-2021-25745 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-25745
Vulnerability Analysis
This vulnerability is classified as an Improper Input Validation issue (CWE-20) affecting the Kubernetes ingress-nginx controller. The flaw exists in how the ingress-nginx controller processes the path field within Ingress object specifications. When a malicious user crafts a specially designed Ingress object with a manipulated spec.rules[].http.paths[].path field, they can extract sensitive credentials from the ingress-nginx controller.
The attack is particularly dangerous because the default ingress-nginx controller configuration grants the controller's service account broad access to Kubernetes secrets across the entire cluster. This means successful exploitation could result in complete compromise of all secrets stored in the Kubernetes cluster.
Root Cause
The root cause of this vulnerability stems from insufficient input validation on the path field within Ingress object specifications. The ingress-nginx controller fails to properly sanitize or validate the spec.rules[].http.paths[].path field before processing it, allowing attackers to inject malicious content that results in credential disclosure.
This improper input validation allows the path field to be leveraged as an attack vector to access internal controller credentials that should not be exposed to users with Ingress object creation privileges.
Attack Vector
The attack vector is network-based and requires low privileges (the ability to create or update Ingress objects in the Kubernetes cluster). No user interaction is required. An attacker with the necessary Kubernetes RBAC permissions can craft malicious Ingress objects with specially crafted path values.
The exploitation flow involves:
- The attacker creates or modifies an Ingress object with a malicious path value
- The ingress-nginx controller processes the Ingress object without proper validation
- The path field manipulation causes credential leakage
- The attacker captures the ingress-nginx controller credentials
- Using these credentials, the attacker can access all Kubernetes secrets in the cluster
For technical details on the specific exploitation mechanism, refer to the GitHub Issue #8502 and the Kubernetes Security Announcement.
Detection Methods for CVE-2021-25745
Indicators of Compromise
- Unusual Ingress objects with abnormal or suspicious path field values
- Unexpected access to Kubernetes secrets from ingress-nginx controller service account
- Audit logs showing creation or modification of Ingress objects with non-standard path configurations
- Anomalous network activity from the ingress-nginx controller pod
Detection Strategies
- Enable Kubernetes audit logging and monitor for Ingress object creation/modification events with suspicious path values
- Implement admission controllers (e.g., OPA Gatekeeper, Kyverno) to validate Ingress path fields against known malicious patterns
- Monitor ingress-nginx controller logs for unusual path processing behavior
- Use SentinelOne Singularity Cloud Workload Protection to detect anomalous container behavior
Monitoring Recommendations
- Configure alerting on Kubernetes audit logs for Ingress resource modifications
- Monitor secret access patterns from the ingress-nginx controller service account
- Implement runtime security monitoring for the ingress-nginx controller pods
- Review RBAC permissions regularly to identify users with Ingress creation privileges
How to Mitigate CVE-2021-25745
Immediate Actions Required
- Upgrade ingress-nginx to a patched version as specified in the security advisory
- Review and restrict RBAC permissions for Ingress object creation and modification
- Audit existing Ingress objects for suspicious path field values
- Consider implementing admission controllers to validate Ingress specifications
Patch Information
Kubernetes has released security patches to address this vulnerability. Refer to the GitHub Issue #8502 for specific version information and upgrade instructions. Additionally, consult the Kubernetes Security Announcement for official guidance. The NetApp Security Advisory NTAP-20220609-0006 also provides relevant information for affected deployments.
Workarounds
- Restrict RBAC permissions to limit which users can create or update Ingress objects
- Implement admission webhooks to validate and sanitize Ingress path fields before they are processed
- Apply the principle of least privilege to the ingress-nginx controller service account, limiting its access to secrets
- Consider network policies to restrict communication paths for the ingress-nginx controller
# Example: Restrict ingress-nginx service account permissions
# Create a more restrictive ClusterRole that limits secret access
kubectl create clusterrole ingress-nginx-restricted \
--verb=get,list,watch \
--resource=secrets \
--resource-name=specific-allowed-secrets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
