Saturday04 February 2023

New Bug in Container Deployment Tool, Argo, Puts Container Environments at Risk

Reading time is around minutes.

Containers are a popular item with cloud-based infrastructure. The idea of running low-cost (from a resource standpoint) systems to handle work loads while maintaining a higher level of security is a nice one. Making this type of decision does not mean that it puts them out of the reach of attackers though. We have seen several methods used by attackers to gain access to and control of the containers that that are in use. One of the latest is due to a 0-Day flaw in the Argo Continuous Deployment tool.

The vulnerability has been identified as CVE-2022-24318 and affects all versions. The flaw allows attackers to potentially gain access to sensitive information including passwords and/or API keys in use. Argo’s continuous deployment (SD) feature is a way to automate code changes in different environments after they are tested. It makes updating code changes faster and more efficient. It is also a great target as compromising a tool like this means that an attacker can slip their code into any environment that Argo CD touches.

This type of focus is a continuation of a pattern by threat groups where they are targeting some of the core tools used to manage and monitor environments. Although the effort in some cases might be high, the payoff when there is a successful compromise is high (Think SolarWinds). In the case of hitting Argo CD an attacker can leverage this flaw to load a malicious Kubernetes Helm Chart YAML (Yet Another Markup Language) file. The Helm Chart is a package manager that contains information about a Kubernetes cluster or environment. This is pushed to the target system and the return contains sensitive information allowing for follow on exploitation of the environment.

Other misconfigurations in Argo have been identified as part of attacks that injected cryptominers into Kubernetes Clusters. This type of finding shows just how much access these automated tools have in an environment and how they can be abused if they are not properly configured and monitored. In a widely distributed work environment this can be very difficult, but the potentially consequences are disastrous. Apriio security, the people credited with finding this flaw rate it as a patch now, just one more in the handful of serious flaws found and disclosed in the first 2 months of 2022. We have said it before, and we are sure to annoy you with it before the end of the year, 2022 is going to be a rough one.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.