A zero-day vulnerability in open-source Kubernetes development tool Argo lets malicious people steal passwords from git-crypt and other sensitive information by simply uploading a crafted Helm chart.
Charts are the actual packaging format of ubiquitous tool-for-managing-Kubernetes applications Helm.
The vuln, tracked as CVE-2022-24438, exists in Argo CD, a widely used open-source continuous delivery tool for Kubernetes. Patched versions available from the project’s maintainers are 2.19, 2.2.4 and 2.3.0.
“It is possible to craft special Helm chart packages containing value files that are actually symbolic links, pointing to arbitrary files outside the repository’s root directory,” said a member of the Argo project in a security advisory about the flaw.
They said all versions of the tool were vulnerable, adding: “The impact can especially become critical in environments that make use of encrypted value files (e.g. using plugins with git-crypt or SOPS) containing sensitive or confidential data, and decrypt these secrets to disk before rendering the Helm chart.”
Cloud security firm Apiiro discovered the vuln after asking itself whether it could find a way of making an Argo URI parser “accept a local file-path and confuse it to be a URI, and use that confusion to skip the whole cleanup and anti-path-traversal mechanism check.”
The firm added: “Although Argo CD contributors were aware of this weak point in 2019 and implemented an anti-path-traversal mechanism, a bug in the control [sic] allows for exploitation of this vulnerability.”
A timeline given by Apiiro said there were just four days between initial disclosure, patching and coordinated public disclosure, starting on 30 January.
Apiiro deduced that Argo CD’s URI parser always treats URI-formatted strings as having been sanitised earlier in the application’s workflow. Using a crafted Helm chart to pass it absolute file paths in URI format would therefore allow an attacker to sidestep Argo CD’s file path traversal prevention mechanism.
“An attacker can assemble a concatenated, direct call to a specified values.yaml file, which is used by many applications as a vassal for secret and sensitive values,” concluded Moshe Zioni, Apiiro’s security research veep, in the company’s blog post. He gave his findings a CVSS v3.0 score of 7.7, though so far no other sources appear to have reviewed or endorsed this.
Jamie Moles, a senior technical manager at network detection and response firm ExtraHop, opined: “One of the biggest issues here is that Kubernetes is essential for cloud-native companies. As with Log4j, whenever a ubiquitous piece of code is attacked it makes huge swathes of the internet vulnerable to attack.”
Supply chain attacks went big over the last year as criminals and nation states leapt on the idea of compromising widely used software suites. Explosively throwing it into the wider public consciousness was the attack on SolarWinds by Russia, followed a few months later by MSP software maker Kaseya. After those came the Log4j horror show, spreading supply chain attacks to the open-source world. That prompted the US government to convene a meeting at the White House, pondering how to better secure open-source-dependent software against such flaws.
While they come up with a solution, best update your installations to one of the fixed versions, as there is “no workaround for this issue.” ®