Posted on February 7, 2022 at 7:00 PM

New Argo CD Bug Could Let Hackers Steal Secret Info from Kubernetes Apps

Security researchers have warned that vulnerability in the Argo continuous deployment (CB) tool for Kubernetes could allow hackers to have access to sensitive information such as API keys and passwords.

The vulnerability, named CVE-2022-24348, impacts all versions of the tool, but it has been patched in versions 2.1.9, 2.2.4, and 2.3.0. According to the cybersecurity firm, Apiiro, who discovered the vulnerability, warned users of the tool about the flaw. 

Additionally, the vulnerability can enable hackers to easily move from one application ecosystem to another. 

Argo CD is a continuous-delivery platform that is deployed as a Kubernetes controller in the cloud. The tool is utilized to deploy apps and monitor them as they run in real-time. 

The security research team of Apiiro stated that the vulnerability is a path-traversal issue. The problem occurs when threat actors gain access to directories and files that are stored outside their permissioned purview. According to the report, the vulnerability can be described as being critical, with a severity scale of 7.7 out of 10.

The Bug Can Be Exploited By Building Kubernetes Helm Chart File

Threat actors can exploit the vulnerability when an infected Kubernetes Helm Chart YAML file is loaded into the Argo CD system. However, the attack cannot be successful unless the attackers move the file from their application ecosystem to another application’s data.

The vulnerability comes from the manner Argo CD utilizes and controls its anti-path-traversal security, the researchers noted.

The researchers added that the vulnerability can be exploited, depending on how the users are leveraging Argo CD to develop an application-deployment pipeline. This can be achieved in two ways: namely by building a Kubernetes Helm Chart file or by defining a Git repository. However, Apiiro explained that the problem lies in the former approach.

The Helm Chart is a YAML file that embeds different fields, forming the configurations and declarations required to deploy an application. The application, according to the Apiiro researchers, may have some building blocks. Th4ese can be embedded into other files to work as self-containing applications housed in a repository.

No Workaround For The Vulnerability

The researchers stated that attackers can abuse the file containing valid YAML if they have permission to create or update applications. They can plant a malicious Helm chart to consume the YAML as values files, allowing them access they otherwise should not have.

And in an environment where users utilize encrypted value files that contain confidential or sensitive data, the impact can become very critical, the researchers added. 

Unfortunately, there are no workarounds for the vulnerability, which makes users at more risk of exploitation if they do not apply updates to their devices. As a result, Argo has advised its users to apply updates to their installations as soon as possible. Those using the version with not available patch should be eagerly anticipating a patch shortly, according to the company.

Apiiro said it informed Argo CD about the vulnerability last two weeks and the company moved swiftly to provide a patch. The security firm said both parties are working together to ensure that threat actors do not gain a lot of victims via their exploitation.

Hackers Are Increasingly Becoming More Sophisticated 

Chief Executive Officer of Vulcan Cyber, Yaniv Bar-Dayan noted that his security firm has discovered a lot of advanced persistent threats (APTs) that exploit Zero-day in supply chain software like Argo CD.

He added that unmitigated vulnerabilities have led to more cyber risks and attacks than any factor. However, threat actors are always looking for areas where they will get the least resistance to achieve their aim. This has shown how threat actors are increasingly becoming more sophisticated to launch attacks from vulnerable software and applications.

A good example is the SolarWinds hack, which saw the ability of hackers to use highly technical tools to achieve supply chain attacks, impacting several organizations in the process. These hackers are no longer certified with getting thousands of dollars from their loot. They are now going for the jugular by spending massively to attack companies and organizations that provide critical services.

Once they hit these organizations, they are certain that a ransom payment from them will be in millions. In most breaches, the entire blame is usually put on software supply chain vendors. But the level of sophistication deployed by the threat actors shows that even the most careful vendor could be successfully explored.

As a result, security researchers maintain that the best way to curb the risks of exploitation is for all stakeholders to apply various security techniques and create regular awareness of the threat actors and the damage they can cause. The awareness also includes constantly reminding users to update their devices and applications to give hackers little room for exploitation.