Lenin alevski 🕵️💻<p>After my last post analyzing the NGINX <a href="https://infosec.exchange/tags/IngressNightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressNightmare</span></a> vulnerability, I’m excited to share a new addition to my Kubernetes Security: Advanced Exploitation series!</p><p>Inspired by the excellent research from the Wiz team on CVE-2025-1974, I’ve created a hands-on lab that walks you through exploiting this issue step by step. You can try it out here:<br>🔗 <a href="https://github.com/Alevsk/dvka/tree/master/workshop/labs/ingress-nightmare" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Alevsk/dvka/tree/ma</span><span class="invisible">ster/workshop/labs/ingress-nightmare</span></a></p><p>This lab offers a safe environment to:</p><p>1. Reproduce the vulnerability<br>2. Understand how the exploit works<br>👉 <a href="https://github.com/Alevsk/dvka/blob/master/workshop/labs/ingress-nightmare/cve-2025-1974.py" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Alevsk/dvka/blob/ma</span><span class="invisible">ster/workshop/labs/ingress-nightmare/cve-2025-1974.py</span></a><br>3. Generate your own indicators of compromise (IOCs)</p><p>It’s a great way to deepen your Kubernetes security knowledge and gain hands-on experience with real-world exploitation techniques. Have fun learning, and feel free to share any thoughts or questions!</p>
Recent searches
No recent searches
Search options
Only available when logged in.
nerdculture.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
Be excellent to each other, live humanism, no nazis, no hate speech. Not only for nerds, but the domain is somewhat cool. ;)
No bots in general. Languages: DE, EN, FR, NL, ES, IT
Administered by:
Server stats:
1.2Kactive users
nerdculture.de: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.6
#ingressnightmare
3 posts · 3 participants · 0 posts today
IT News<p>This Week in Security: IngressNightmare, NextJS, and Leaking DNA - This week, researchers from Wiz Research released a series of vulnerabilities in t... - <a href="https://hackaday.com/2025/03/28/this-week-in-security-ingressnightmare-nextjs-and-leaking-dna/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">hackaday.com/2025/03/28/this-w</span><span class="invisible">eek-in-security-ingressnightmare-nextjs-and-leaking-dna/</span></a> <a href="https://schleuss.online/tags/thisweekinsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>thisweekinsecurity</span></a> <a href="https://schleuss.online/tags/ingressnightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ingressnightmare</span></a> <a href="https://schleuss.online/tags/hackadaycolumns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hackadaycolumns</span></a> <a href="https://schleuss.online/tags/securityhacks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityhacks</span></a> <a href="https://schleuss.online/tags/23andme" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>23andme</span></a> <a href="https://schleuss.online/tags/nextjs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>nextjs</span></a> <a href="https://schleuss.online/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>news</span></a></p>
Matthias Luft<p>I wrote up some details on exploiting <a href="https://infosec.exchange/tags/IngressNightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressNightmare</span></a> <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a>-2025-1974: <br>www.averlon.ai/blog/kuberne...</p><p>Where are we at with releasing a full PoC?</p>
Bret Mogilefsky<p>Attention all k8s people: There's an <a href="https://hachyderm.io/tags/IngressNightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressNightmare</span></a> in progress.<br>> "Based on our analysis, about 43% of cloud environments are vulnerable to these vulnerabilities, with our research uncovering over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk."<br><a href="https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">wiz.io/blog/ingress-nginx-kube</span><span class="invisible">rnetes-vulnerabilities</span></a></p>
Sam Stepanyan :verified: 🐘<p><a href="https://infosec.exchange/tags/NGINX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NGINX</span></a> Critical Ingress NGINX Controller for <a href="https://infosec.exchange/tags/Kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Kubernetes</span></a> Vulnerability Allows <a href="https://infosec.exchange/tags/RCE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RCE</span></a> Without Authentication. A set of 5 critical security CVE with CVSS scores 4.8-9.8 affecting ~43% of cloud environments globally:</p><p><a href="https://infosec.exchange/tags/IngressNightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressNightmare</span></a></p><p><a href="https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/03/crit</span><span class="invisible">ical-ingress-nginx-controller.html</span></a></p>
Xavier «X» Santolaria :verified_paw: :donor:<p>⁉️ So, today are you more of a <a href="https://infosec.exchange/tags/ingressnightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ingressnightmare</span></a> or <a href="https://infosec.exchange/tags/signalgate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>signalgate</span></a> person?</p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/uspol" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>uspol</span></a></p>
esa<p>Fiksene for CVE-ene involvert i <a href="https://snabelen.no/tags/ingressnightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ingressnightmare</span></a> er jo også litt interessante:</p><p>* CVE-2025-1097 mer quoting:<br> <a href="https://github.com/kubernetes/ingress-nginx/pull/13068/commits/06c992abd8eef9710359a236c443c613d29fdfad" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kubernetes/ingress-</span><span class="invisible">nginx/pull/13068/commits/06c992abd8eef9710359a236c443c613d29fdfad</span></a></p><p>* CVE-2025-1098 mer & flyttet quoting:<br> <a href="https://github.com/kubernetes/ingress-nginx/pull/13068/commits/2e9f37380afb7853fa6daa1c3e6659550aadfd90" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kubernetes/ingress-</span><span class="invisible">nginx/pull/13068/commits/2e9f37380afb7853fa6daa1c3e6659550aadfd90</span></a></p><p>* CVE-2025-1974 diverse utkommentert kode, tydeligvis tester?:<br> <a href="https://github.com/kubernetes/ingress-nginx/pull/13068/commits/0ccf4caaadec919680c455d221e53d97970d527d" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kubernetes/ingress-</span><span class="invisible">nginx/pull/13068/commits/0ccf4caaadec919680c455d221e53d97970d527d</span></a></p><p>* CVE-2025-24513 bruke en ordentlig filepath-type:<br> <a href="https://github.com/kubernetes/ingress-nginx/pull/13068/commits/cbc159094f6d1b1bf8cf1761eb119138d1f95df1" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kubernetes/ingress-</span><span class="invisible">nginx/pull/13068/commits/cbc159094f6d1b1bf8cf1761eb119138d1f95df1</span></a></p><p>* CVE-2025-24514 mer sitering:<br> <a href="https://github.com/kubernetes/ingress-nginx/pull/13068/commits/ab470eb920924d62a197ebddd8a4cc3031a77ddf" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kubernetes/ingress-</span><span class="invisible">nginx/pull/13068/commits/ab470eb920924d62a197ebddd8a4cc3031a77ddf</span></a></p>
Lenin alevski 🕵️💻<p>I spent some time diving into the details of the recent NGINX (ingress-nginx) exploit publication — <a href="https://infosec.exchange/tags/IngressNightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressNightmare</span></a> — and here’s a simplified breakdown I put together:</p><p>TL;DR:<br>This attack targets NGINX by tricking it into executing a malicious configuration that leverages dangerous directives (like ssl_engine) to take over the Kubernetes Pod and escalate privileges.</p><p>First things first, the attacker needs to be inside the Kubernetes perimeter and able to communicate with the ingress-nginx-controller Pod. This is more common than you’d think — many clusters are deployed without any network segmentation policies in place.</p><p>From there, the attack unfolds in two phases:<br> 1. Upload a malicious module to the file system of the ingress-nginx-controller Pod.<br> 2. Send a configuration to ingress-nginx that uses the ssl_engine directive to load that malicious module.</p><p>The brilliance of this attack lies in the details. Let me walk you through how it works:</p><p>In the first step, the attacker exploits a feature called Client Body Buffers. When an HTTP request exceeds 8KB, NGINX starts writing the body to disk instead of keeping it in memory. To ensure the malicious module is properly staged for the next step, the attacker sets a Content-Length header that leaves the server “waiting” for more data.</p><p>Then comes phase two: the attacker floods the ingress-nginx-controller with requests containing an AdmissionReview that includes a config using ssl_engine, pointing to the malicious module injected earlier (e.g., /proc/$PID/fd/$FD). Since the attacker doesn’t know the exact process ID or file descriptor, they brute-force it. But because containerized environments typically have very few processes, this brute-force step is trivial.</p><p>Once the attacker guesses the correct combination, NGINX loads the malicious module — and just like that, command execution is achieved.</p><p>From that point on, the attacker can use the container’s service account token to read secrets, access config files, move laterally, and ultimately take control of the entire cluster.</p><p><a href="https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">wiz.io/blog/ingress-nginx-kube</span><span class="invisible">rnetes-vulnerabilities</span></a></p>
CHATONS<p><a href="https://forum.chatons.org/t/critical-ingress-nginx-vulnerability-for-kubernetes/7171/1" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">forum.chatons.org/t/critical-i</span><span class="invisible">ngress-nginx-vulnerability-for-kubernetes/7171/1</span></a></p><p><a href="https://framapiaf.org/tags/IngressNightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IngressNightmare</span></a> <a href="https://framapiaf.org/tags/kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>kubernetes</span></a> <a href="https://framapiaf.org/tags/ingress_nginx" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ingress_nginx</span></a> <a href="https://framapiaf.org/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a>-2025-24514 <a href="https://framapiaf.org/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a>-2025-1097 <a href="https://framapiaf.org/tags/CVE" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE</span></a>-2025-1098 CVE-2025-1974 <a href="https://framapiaf.org/tags/cvss9" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cvss9</span></a>.8</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload