Kubernetes vulnerabilities: 2023 roundup
Transparency in vulnerability disclosure plays a crucial role in effective risk management, regardless of software...
Feb 6, 2022
Researcher Moshe Zioni from Apiiro, discovered a major software supply chain critical vulnerability – CVE-2022-24348 – in the popular open-source CD platform Argo CD. Exploiting it enables attackers to obtain sensitive information like credentials, secrets, API keys from other applications. This in turn can lead to privilege escalation, lateral movements, and information disclosure.
Due to the high severity of this vulnerability, we have added to Kubescape a special control – C-0081 – that identifies if the vulnerable Argo CD version exists in your deployment – run ARMOBest Framework using the command:
Kubescape scan framework ARMOBest –submit
This kind of vulnerability illustrates the importance of continuous periodic scanning of all deployed software images as opposed to CI/CD pre-deployment scanning. Kubescape is designed to enumerate all the deployed images from the Kubernetes API and scan them keeping detailed time-chronological results.
A patch is available for Argo CD versions:
Argo CD is a declarative, continuous delivery tool for Kubernetes. Argo CD follows the GitOps pattern of using Git repositories as the source of truth for defining the desired application state. Kubernetes manifests can be specified in several ways:
Argo CD automates the deployment of the desired application states in the specified target environments. Application deployments can track updates to branches, tags, or pinned to a specific version of manifests at a Git commit.
According to Moshe Zioni, VP of security research at Apiiro, The vulnerability is in the repository.go file where the attacker bypasses directory traversal checks and can get access to other artifacts in the Argo CD tool. These artifacts might contain API keys, secrets, and tokens.
See below the attack sequence presented in the Apiiro publication:
You can read more details on the actual vulnerable code here or here
There are a few things you should do:
According to Argo CD official documentation, a patch for this vulnerability has been released in the following Argo CD versions:
Transparency in vulnerability disclosure plays a crucial role in effective risk management, regardless of software...
Addressing Common Vulnerabilities and Exposures, known as CVE patching, is a practice of applying updates...
CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886 can be exploited by attacker to steal secret credentials from the...