CVE-2024-7646: Ingress-NGINX Annotation Validation Bypass – A Deep Dive
Introduction Attention: a new Kubernetes vulnerability was uncovered by André Storfjord Kristiansen (@dev-bio on GitHub)...
Feb 6, 2022
Researcher Moshe Zioni from Apiiro, discovered a major software supply chain critical vulnerability – CVE-2022-24348 – in the popular open-source CD platform Argo CD. Exploiting it enables attackers to obtain sensitive information like credentials, secrets, API keys from other applications. This in turn can lead to privilege escalation, lateral movements, and information disclosure.
Due to the high severity of this vulnerability, we have added to Kubescape a special control – C-0081 – that identifies if the vulnerable Argo CD version exists in your deployment – run ARMOBest Framework using the command:
Kubescape scan framework ARMOBest –submit
This kind of vulnerability illustrates the importance of continuous periodic scanning of all deployed software images as opposed to CI/CD pre-deployment scanning. Kubescape is designed to enumerate all the deployed images from the Kubernetes API and scan them keeping detailed time-chronological results.
A patch is available for Argo CD versions:
Argo CD is a declarative, continuous delivery tool for Kubernetes. Argo CD follows the GitOps pattern of using Git repositories as the source of truth for defining the desired application state. Kubernetes manifests can be specified in several ways:
Argo CD automates the deployment of the desired application states in the specified target environments. Application deployments can track updates to branches, tags, or pinned to a specific version of manifests at a Git commit.
According to Moshe Zioni, VP of security research at Apiiro, The vulnerability is in the repository.go file where the attacker bypasses directory traversal checks and can get access to other artifacts in the Argo CD tool. These artifacts might contain API keys, secrets, and tokens.
See below the attack sequence presented in the Apiiro publication:
You can read more details on the actual vulnerable code here or here
There are a few things you should do:
According to Argo CD official documentation, a patch for this vulnerability has been released in the following Argo CD versions:
Introduction Attention: a new Kubernetes vulnerability was uncovered by André Storfjord Kristiansen (@dev-bio on GitHub)...
(We are talking about the xz/libzma backdoor identified with CVE-2024-3094) Summary of the OpenSSH XZ...
Read our update: Yet another reason why the xz backdoor is a sneaky b@$tard On...