CVE 2022-24348 – Argo CD High Severity Vulnerability and its impact on Kubernetes

Researcher Moshe Zioni from Apiiro, discovered a major software supply chain critical vulnerability – CVE-2022-24348 – in the popular open-source CD platform Argo CD. Exploiting it enables attackers to obtain sensitive information like credentials, secrets, API keys from other applications. This in turn can lead to privilege escalation, lateral movements, and information disclosure.

Due to the high severity of this vulnerability, we have added to Kubescape a special control – C-0081 – that identifies if the vulnerable Argo CD version exists in your deployment – run ARMOBest Framework using the command:

Kubescape scan framework ARMOBest –submit

This kind of vulnerability illustrates the importance of continuous periodic scanning of all deployed software images as opposed to CI/CD pre-deployment scanning. Kubescape is designed to enumerate all the deployed images from the Kubernetes API and scan them keeping detailed time-chronological results.

A patch is available for Argo CD versions:

• v2.3.0
• v2.2.4
• v2.1.9

About Argo CD

Argo CD is a declarative, continuous delivery tool for Kubernetes. Argo CD follows the GitOps pattern of using Git repositories as the source of truth for defining the desired application state. Kubernetes manifests can be specified in several ways:

• kustomize applications
• helm charts
• ksonnet applications
• jsonnet files
• Plain directory of YAML/json manifests
• Any custom config management tool configured as a config management plugin

Argo CD automates the deployment of the desired application states in the specified target environments. Application deployments can track updates to branches, tags, or pinned to a specific version of manifests at a Git commit.

The vulnerability

According to Moshe Zioni, VP of security research at Apiiro, The vulnerability is in the repository.go file where the attacker bypasses directory traversal checks and can get access to other artifacts in the Argo CD tool. These artifacts might contain API keys, secrets, and tokens.

See below the attack sequence presented in the Apiiro publication:

You can read more details on the actual vulnerable code here or here

 What should you do?

There are a few things you should do:

Scan if you are vulnerable:

• Make sure you are not running a vulnerable version using Kubescape’s new control C-0081. This control is part of the ARMOBest framework.
  You can run it in the following ways:
  1. Scan using the entire framework:
     Kubescape scan framework armobest –submit
  2. Scan using only the specific control:
     Kubescape scan control C-0081 
• You can use Kubescape SaaS to scan your cluster and/or the argocd namespace to see if you have this issue.
• Make sure you protect your secrets and store them in Kubernetes secrets and/or any KMS solution.
  You can check it using Kubescape control 12 (part of ARMOBest framework). Pay attention that this is a customizable control which can be set under settings->posture->controls-> C-0012 (Applications credentials in configuration files).
• Run Kubescape image vulnerability scanner periodically and review the results which will provide you a broader picture of all dangerous vulnerabilities you have in your cluster(s).

Remediation

According to Argo CD official documentation, a patch for this vulnerability has been released in the following Argo CD versions:

• v2.3.0
• v2.2.4
• v2.1.9