Major vulnerability found in open source dev tool for Kubernetes

Join today’s leading executives online at the Data Summit on March 9th. Register here.

Researchers today disclosed a zero day vulnerability in Argo CD, an open source developer tool for Kubernetes, which carries a “high” severity rating.

The vulnerability (CVE-2022-24348) was uncovered by the research team at cloud-native application protection firm Apiiro. The company says it reported the vulnerability to the open source Argo project before disclosing the flaw on its blog today. Patches are now available, Apiiro said.

Argo CD is a continuous delivery platform for developers that use Kubernetes, the dominant container orchestration system.

Exploits of the vulnerability in Argo CD could allow an attacker to acquire sensitive information—including passwords, secrets, and API keys—through utilization of malicious Kubernetes Helm Charts, said Moshe Zioni, vice president of security research at Apiiro, in the blog post. Helm Charts are YAML files used to manage Kubernetes applications.

Zioni said the vulnerability has been given a severity rating of “high” (7.7), though as of this writing, the National Institute of Standards and Technology (NIST) website had not yet posted the rating.

In an email to VentureBeat, Zioni said the vulnerability could potentially have a “very significant impact on the industry” since Argo CD is used by thousands of organizations. The open source project has more than 8,300 stars on GitHub.

The Argo CD platform enables declarative specifications for applications as well as automated deployments leveraging GitHub, according to Intuit. The company donated the project to the Cloud Native Computing Foundation in 2020 after acquiring its creator, Applatix, in 2018.

Potential threats

The newly disclosed flaw in Argo CD “allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope,” Zioni said in the Apiiro blog post.

Thus, attackers “can read and exfiltrate secrets, tokens, and other sensitive information residing on other applications,” he said. Exploits of the vulnerability could lead to privilege escalation, lateral movement, and disclosure of sensitive information, Zioni said in the post.

Application files “usually contain an assortment of transitive values of secrets, tokens, and environmental sensitive settings,” he said. “This can effectively be used by the attacker to further expand their campaign by moving laterally through different services and escalating their privileges to gain more ground on the system and target organization’s resources.”

Zioni said that the Argo CD team provided a “swift” response after being informed about the vulnerability.

Open source insecurity

The disclosure of the vulnerability in Argo CD comes amid growing concerns about the prevalence of insecure software supply chains. High-profile incidents have included the SolarWinds and Kaseya breaches, while overall attacks involving software supply chains surged by more than 300% in 2021, Aqua Security reported.

Meanwhile, open source vulnerabilities such as the widespread flaws in the Apache Log4j logging library and the Linux polkit program have underscored the issue. On Monday, The Open Source Security Foundation announced a new project designed to secure the software supply chain, backed by $5 million from Microsoft and Google.

“We are seeing more advanced persistent threats that leverage zero day and known, unmitigated vulnerabilities in software supply chain platforms, such as Argo CD,” said Yaniv Bar-Dayan, cofounder and CEO at cybersecurity risk management vendor Vulcan Cyber, in an email to VentureBeat.

“We need to do better as an industry before our cyber debt sinks us,” Bar-Dayan said. “IT security teams must collaborate and do the work to protect their development environments and software supply chains from threat actors.”

Originally appeared on: TheSpuzz