Maybe someday there will a day when we don’t have a serious security problem to worry over, but that day is not today. In our latest headache, the cloud-native security company Apiiro’s Security Research team uncovered a nasty software supply chain zero-day vulnerability, CVE-2022-24348, in Argo CD, the popular open-source GitOps Continuous Delivery (CD) platform.
The problem is an oldie, but nasty path traversal bug. When abused, it enables arbitrary values files to be consumed by Helm charts. Adding insult to injury, an attacker can craft malicious Helm chart packages, which contain value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory.
Take This Hole Seriously
If you’re security savvy you can already tell this is no good at all. If you had any doubts about its severity, its CVE Common Vulnerability Scoring System (CVSS) score 7.7, High, tells you it must take this hole seriously.
For example, an attacker who can create or update Applications and knows or can guess the full path to a file containing valid YAML, can create a malicious Helm chart. This Helm malware can then be used to access private data. That includes encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data. These secrets can then be decrypted before the Helm chart is rendered.
Oh, and since verbose error messages from the helm template are passed back to the user an attacker can get a much too good idea of what’s inside the repository server’s file system. Yes, that means a malicious actor can “hop” from their application ecosystem to other applications’ data outside of the user’s scope.
No Fun at All
This is not my idea of fun.
This prying open attack can be used on Argo CD before 2.1.9 and 2.2.x before 2.2.4.
Ironically, Argo CD’s developers saw this kind of exploitation coming in 2019 and built a mechanism to stop such attacks. Unfortunately, their fix wasn’t good enough.
What happens is the code searches for a patterned string that will fit into the mold of a URI for its input value. It does this with the ParseRequestURI function. But you can trick this function into accepting a local file path as a URI, and skip over the existing URI cleanup and anti-path-traversal mechanism check.
Bad News and Good News
It is, I’m sorry all too easy to do once you know how. As the Apiiro team says, “Simply put: if the valueFiles listed are going to look like a URI, it will be treated as one, skipping all other checks and treating it as a legitimate URL.”
That was the bad news. Here’s the good news. Argo CD and Apiiro jumped on fixing the problem immediately. A patch for this vulnerability for the following Argo CD versions: v2.3.0; v2.2.4 and v2.1.9 is already out. Patch it now and all will be well.
Featured image via Pixabay.