 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Maybe someday there will a day when we don’t have a serious security problem to worry over, but that day is not today. In our latest headache, the cloud-native security company Apiiro’s Security Research team uncovered a nasty software supply chain zero-day vulnerability, CVE-2022-24348, in Argo CD, the popular open-source GitOps Continuous Delivery (CD) platform.
The problem is an oldie, but nasty path traversal bug. When abused, it enables arbitrary values files to be consumed by Helm charts. Adding insult to injury, an attacker can craft malicious Helm chart packages, which contain value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory.
If you’re security savvy you can already tell this is no good at all. If you had any doubts about its severity, its CVE Common Vulnerability Scoring System (CVSS) score 7.7, High, tells you it must take this hole seriously.
For example, an attacker who can create or update Applications and knows or can guess the full path to a file containing valid YAML, can create a malicious Helm chart. This Helm malware can then be used to access private data. That includes encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data. These secrets can then be decrypted before the Helm chart is rendered.
Oh, and since verbose error messages from the helm template are passed back to the user an attacker can get a much too good idea of what’s inside the repository server’s file system. Yes, that means a malicious actor can “hop” from their application ecosystem to other applications’ data outside of the user’s scope.
This is not my idea of fun.
This prying open attack can be used on Argo CD before 2.1.9 and 2.2.x before 2.2.4.
Ironically, Argo CD’s developers saw this kind of exploitation coming in 2019 and built a mechanism to stop such attacks. Unfortunately, their fix wasn’t good enough.
What happens is the code searches for a patterned string that will fit into the mold of a URI for its input value. It does this with the ParseRequestURI function. But you can trick this function into accepting a local file path as a URI, and skip over the existing URI cleanup and anti-path-traversal mechanism check.
It is, I’m sorry all too easy to do once you know how. As the Apiiro team says, “Simply put: if the valueFiles listed are going to look like a URI, it will be treated as one, skipping all other checks and treating it as a legitimate URL.”
Whoops.
That was the bad news. Here’s the good news. Argo CD and Apiiro jumped on fixing the problem immediately. A patch for this vulnerability for the following Argo CD versions: v2.3.0; v2.2.4 and v2.1.9 is already out. Patch it now and all will be well.
