The popular continuous-delivery platform Kubernetes has a path-traversal bug (CVE-2022-24348) that could allow cyber-attackers to leap from 1 application to another.
A high-severity security vulnerability in Argo CD can let attackers access targets’ application-development environments, facilitating the stealing passwords, API keys, tokens & other sensitive information.
Argo CD is a ‘continuous-delivery platform’ used as a Kubernetes controller in the cloud, & it is used to deploy applications, then continuously monitor them in real time while they run.
Access Files
The bug is a ‘path-traversal’ issue, according to Apiiro’s security-research team, which occurs when adversaries are able to access files & directories that are stored outside their permissioned area. It carries a score of 7.7 out of 10 o the CVSS vulnerability-severity scale.
Attackers can exploit the bug (CVE-2022-24348) by loading a malicious Kubernetes Helm Chart YAML file into the Argo CD system, then using it to “hop” from their own application ecosystem to access other applications’ data, researchers stated.
Argo Attack Vector
The vulnerability exists in the way Argo CD oversees the control for its anti-path-traversal security mechanism, according to Apiiro.
In terms of how the bug can be specifically exploited, it is important to understand how users can leverage Argo CD to build an application-deployment pipeline, Apiiro noted. They can do this in 2 ways: By defining a Git repository; or by building a Kubernetes Helm Chart file. The issue lies in the latter approach.
Metadata
“A Helm Chart is a YAML file that embeds different fields to form a declaration of resources & configurations needed in order for deploying an application,” according to an Apiiro analysis last Thur.
The file includes “the metadata & information needed to deploy the appropriate Kubernetes configuration, & the ability to dynamically update the cloud configuration as the manifest is being modified.”
The application being built may have certain building blocks, which could be housed in other files that function as self-contained application parts kept in a repository.
“Repositories are saved on a dedicated server or pod named argocd-reposerver,” according to Apiiro. “There is no strong segmentation apart from file hierarchy, so the anti-path-traversal mechanism is a critical linchpin of file security.”
Anti-Path-Traversal Mechanism
Argo CD’s anti-path-traversal mechanism is managed by single file in the source code, according to the analysis. The file performs the procedural clean-up of source path input & it checks that the resulting cleaned-up version of the path matches the subdirectory of the current operating directory. It does this by evaluating listed elements under the Helm Chart’s valueFiles field.
The valueFiles fields are parsed by the application starting with a preliminary check for input value content: “The code searches for a patterned string that will fit into the mold of a URI by using a function called ParseRequestURI,” explained researchers.
Raw URL
ParseRequestURI parses a raw URL into a URL structure, & it assumes that the raw URL was received in an HTTP request, they noted. This in turn makes it possible to confuse the parser, to make it think that a local file-path name is a valid URL – which would cause it to skip the clean-up and anti-path-traversal mechanism check, they explained.
“If the valueFiles listed are going to look like a URI, it will be treated as one, skipping all other checks & treating it as a legitimate URL,” explained the researchers.
“Because the default behaviour of the function is to take for granted that it receives an HTTP request, it can be an absolute path of a URL like /directory/values.yaml. When looking at it as a URL, it passes the sanity test but is an absolute file-path.”
Helm Chart
Thus, attackers can use a specially crafted Helm Chart, with requests for application file paths that lead to portions of application environments outside their purview, according to Apiiro – which tend to be guessable.
“Because the reposerver uses a monolithic & deterministic file-structure, all the other out-of-bound applications have a definite & predictable format & path,” the researchers outlined. “An attacker can assemble a concatenated, direct call to a specified values.yaml file, which is used by many applications as a vassal for secret & sensitive values.”
Exploitation Impact
If cyber-attackers successfully exploit the bug, they can read the contents of other files present on the reposerver, which can contain sensitive information, according to the analysis. While that is concerning enough, researchers also noted that an exploit could offer a way-in for moving laterally through an organisation’s cloud.
“Because application files usually contain an assortment of transitive values of secrets, tokens & environmental sensitive settings – this can effectively be used by the attacker to further expand their campaign by moving laterally through different services & escalating their privileges to gain more ground on the system & target organisation’s resources,” they explained.
Cloud Resources
Administrators should update with Argo CD’s patch as soon as possible, especially because cyber-attackers are following the increasing number of organisations moving workloads to cloud resources & Kubernetes.
Note also that Argo itself has been used to conduct attacks. Last July, it emerged that misconfigured permissions for Argo Workflows’ web-facing dashboard were being exploited by unauthenticated attackers to run code on Kubernetes targets, including crypto-mining containers.
