Skip to content

Users with any cluster secret update access may update out-of-bounds cluster secrets

Critical severity GitHub Reviewed Published Feb 16, 2023 in argoproj/argo-cd • Updated Feb 16, 2023

Package

gomod github.com/argoproj/argo-cd (Go)

Affected versions

>= 2.3.0, < 2.3.17
>= 2.4.0, < 2.4.23
>= 2.5.0, < 2.5.11
>= 2.6.0, < 2.6.2

Patched versions

2.3.17
2.4.23
2.5.11
2.6.2

Description

Impact

All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.

The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters).

How the Attack Works

Argo CD stores cluster access configurations as Kubernetes Secrets. To take advantage of the vulnerability, an attacker must know the server URL for the cluster secret they want to modify.

The attacker must be authenticated with the Argo CD API server, and they must be authorized to update at least one (non project-scoped) cluster. Then they must craft a malicious request to the Argo CD API server.

Removing Deployment Restrictions

A cluster Secret's clusterResources field determines whether Argo CD users may deploy cluster-scoped resources to that cluster. The namespaces field determines the namespaces to which Argo CD users may deploy resources.

You can use this command to determine whether any of your cluster configurations employ these restrictions (replace argocd with the namespace of your Argo CD installation):

kubectl get secret -n argocd -l 'argocd.argoproj.io/secret-type=cluster' -ojson | jq '.items |
  map(.data |= with_entries(.value |= @base64d)) |  # base64-decode secrets
  map(select(.data | (
    (.clusterResources != null and .clusterResources == "false") or # we deny cluster-scoped resource management
    (.namespaces != null and .namespaces != "")                     # we are only managing certain clusters
  )) | .metadata.name)'

The clusterResources and namespaces fields are one line of defense against unauthorized management of Kubernetes resources. Users should also have AppProject and RBAC restrictions in place.

If clusterResources: "false" or namespaces: "some,namespaces" are the only mechanisms preventing an attacker from maliciously managing certain resources via Argo CD, then this vulnerability could allow that attacker to manage out-of-bounds resources via Argo CD (create, get, update, delete).

Modifying Connection Parameters

Cluster secrets also hold client configuration for connecting to the remote cluster. One option is to skip TLS certificate verification. An attacker could disable certificate verification in an effort to achieve a malicious-in-the-middle (MITM) attack.

Alternatively, an attacker could apply an invalid configuration (for example, by setting an invalid bearer token) and achieve a denial-of-service by preventing Argo CD from managing the target cluster.

Changing Unscoped Clusters to be Scoped

The vulnerability also allows an attacker to modify a previously-unscoped cluster and make it scoped. This is important if you are using permitOnlyProjectScopedClusters: true in a project under which the attacker can deploy. By scoping a previously-unscoped cluster under that project, they can grant themselves the ability to manage resources on the target cluster.

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

  • v2.6.2
  • v2.5.11
  • v2.4.23
  • v2.3.17

Workarounds

The best way to mitigate the vulnerability is to upgrade. The following two sections explain other ways to mitigate the vulnerability if you are currently unable to upgrade.

Limit Users with Cluster Update Access

The only complete mitigation besides upgrading is to modify your RBAC configuration to completely revoke all clusters, update access.

To exploit this vulnerability, an attacker must have access to update at least one cluster configuration. Check your RBAC configuration, for lines like this:

p, role:developers, clusters, update, *, allow
p, role:developers, clusters, *, *, allow
p, role:developers, *, update, *, allow

Revoke clusters, update access for any users who do not absolutely need that access.

Restrict Resource Management via AppProjects and RBAC

AppProjects are a primary tool to restrict what resources may be managed via Argo CD.

You can use the destinations and clusterResourceWhitelist fields to apply similar restrictions as the namespaces and clusterResources fields described above.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
spec:
  destinations:
  # Only allow Applications managed by this AppProject to manage to the `allowed-namespace` namespace.
  - namespace: 'allowed-namespace'
    server: 'https://your-server'
  # Do not allow Applications managed by this AppProject to manage any cluster-scoped resources.
  clusterResourceWhitelist: []

Along with adding AppProject restrictions, make sure that your RBAC restrictions are strict enough.

For example, limit projects, update access to Argo CD administrators only. Also use the {project} field in applications, *, {project}/{application} field to limit users' access to certain, restricted, AppProjects.

AppProject restrictions can only prevent Applications from managing out-of-bounds resources. It cannot prevent an attacker from maliciously changing cluster connection TLS configuration.

For more information

References

@crenshaw-dev crenshaw-dev published to argoproj/argo-cd Feb 16, 2023
Published by the National Vulnerability Database Feb 16, 2023
Published to the GitHub Advisory Database Feb 16, 2023
Reviewed Feb 16, 2023
Last updated Feb 16, 2023

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS score

0.104%
(43rd percentile)

Weaknesses

CVE ID

CVE-2023-23947

GHSA ID

GHSA-3jfq-742w-xg8j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.