Serious Argo CD Vulnerability Could Allow Admin Access To The Attackers

A major security vulnerability existed in the Kubernetes continuous delivery tool Argo CD. Exploiting this bug could let an attacker gain elevated privileges, including admin access, on the target instance.

Argo CD Privilege Escalation Vulnerability Discovered

According to a GitHub advisory, a privilege escalation vulnerability threatened the security of Argo CD instances.

As stated, an unauthenticated adversary could exploit the flaw to gain elevated privileges to the target Argo CD instance. Exploiting the bug, however, required anonymous access to be enabled. That means the instances with anonymous access disabled (the default setting) remained unaffected.

Regarding the vulnerability, the advisory states,

A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request.

An attacker could impersonate any user role to trigger the bug, including the built-in admin role. Upon gaining elevated privileges, such as admin access, the attacker could perform unauthorized activities, like creating, manipulating, or deleting any resource on the cluster. Similarly, the attacker could also steal sensitive data by deploying malicious workloads.

Patch Released

The vulnerability first caught the attention of two security researchers, Mark Pim and Andrzej Hajto, who then reported the matter to the maintainers.

Following this discovery, Argo CD maintainers patched the bug and released fixes with Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Therefore, users can simply update to the patched versions to remain safe from potential exploits.

However, in cases where immediate updates aren’t possible, the maintainers recommend disabling anonymous access. Again, though, users who have not changed the default configuration do not need to worry since anonymous access is disabled by default. But users who enabled this option should disable it again until updating their Argo CD instances.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients