We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Researchers today disclosed a zero-day vulnerability in Argo CD, an open source developer tool for Kubernetes, which carries a “high” severity rating.
The vulnerability (CVE-2022-24348) was uncovered by the research team at cloud-native application protection firm Apiiro. The company says it reported the vulnerability to the open source Argo project before disclosing the flaw on its blog today. The bug affects all versions of Argo CD, and patches are now available.
Argo CD is a continuous delivery platform for developers that use Kubernetes, the dominant container orchestration system.
Exploits of the vulnerability in Argo CD could allow an attacker to acquire sensitive information — including passwords, secrets, and API keys — through utilization of malicious Kubernetes Helm Charts, Moshe Zioni, vice president of security research at Apiiro, wrote in a blog post. Helm Charts are YAML files used to manage Kubernetes applications.
Zioni said the vulnerability has been given a severity rating of “high” (7.7), though as of this writing, the National Institute of Standards and Technology (NIST) website had not yet posted the rating.
In an email to VentureBeat, Zioni said the vulnerability could potentially have a “very significant impact on the industry” since Argo CD is used by thousands of organizations. The open source project has more than 8,300 stars on GitHub.
The Argo CD platform enables declarative specifications for applications as well as automated deployments leveraging GitHub. Intuit donated the project to the Cloud Native Computing Foundation in 2020 after acquiring its creator, Applatix, in 2018.
The newly disclosed flaw in Argo CD “allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope,” Zioni said in the Apiiro blog post.
Thus, attackers “can read and exfiltrate secrets, tokens, and other sensitive information residing on other applications,” he said. Exploits of the vulnerability could lead to privilege escalation, lateral movement, and disclosure of sensitive information, Zioni said in the post.
Application files “usually contain an assortment of transitive values of secrets, tokens, and environmental sensitive settings,” he said. “This can effectively be used by the attacker to further expand their campaign by moving laterally through different services and escalating their privileges to gain more ground on the system and target organization’s resources.”
The impact of the vulnerability “can especially become critical in environments that make use of encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data, and decrypt these secrets to disk before rendering the Helm chart,” a representative for the Argo CD project said in a security advisory on GitHub.
“We urge users of Argo CD to update their installation to one of the fixed versions,” the advisory says.
Zioni said that the Argo CD team provided a “swift” response after being informed about the vulnerability.
Open source insecurity
The disclosure of the vulnerability in Argo CD comes amid growing concerns about the prevalence of insecure software supply chains. High-profile incidents have included the SolarWinds and Kaseya breaches, while overall attacks involving software supply chains surged by more than 300% in 2021, Aqua Security reported.
Meanwhile, open source vulnerabilities such as the widespread flaws in the Apache Log4j logging library and the Linux polkit program have underscored the issue. On Monday, The Open Source Security Foundation announced a new project designed to secure the software supply chain, backed by $5 million from Microsoft and Google.
“We are seeing more advanced persistent threats that leverage zero day and known, unmitigated vulnerabilities in software supply chain platforms, such as Argo CD,” said Yaniv Bar-Dayan, cofounder and CEO at cybersecurity risk management vendor Vulcan Cyber, in an email to VentureBeat.
“We need to do better as an industry before our cyber debt sinks us,” Bar-Dayan said. “IT security teams must collaborate and do the work to protect their development environments and software supply chains from threat actors.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.