Getty Images/iStockphoto

GitOps users warned to patch 3 new Argo CD CVEs

Three recently identified vulnerabilities, one designated high severity, now have fixes following a lengthy disclosure process and disagreements about their real-world risk.

Patches are available for three newly reported security vulnerabilities affecting the Argo CD GitOps platform, which could potentially raise the risk of brute-force and denial-of-service attacks.

The vulnerabilities were first discovered in September 2023 by Kubernetes security startup KTrust, which came out of stealth in February. But they were only publicly disclosed this week, one day after patches were made available -- a longer timeline than the 90 days usually considered standard for such a process.

The flaws, including their Common Vulnerabilities and Exposures (CVE) IDs, are as follows:

  • Bypassing Rate Limit and Brute-Force Protection Using Cache Overflow (CVE-2024-21662).
  • Bypassing Brute-Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652).
  • Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multithreaded Environment (CVE-2024-21661).

The first two have a medium rating under the Common Vulnerability Scoring System standard, while the third is rated high risk. The first two CVEs were discovered when KTrust researchers were able to use them to overwhelm Argo CD's protections against brute-force attacks -- where attackers endlessly guess at passwords until they discover the right one.

The third vulnerability could also be used to crash the Argo CD application completely, without an attacker gaining access.

"This constant disruption makes the service inaccessible to legitimate users," according to a KTrust press release. "The lack of an authentication requirement for exploiting this vulnerability significantly increases the risk, as any user, authenticated or not, can potentially initiate the attack."

Nadav Aharon-Nov, CTO and co-founder, KTrustNadav Aharon-Nov

Researchers at KTrust were eventually able to gain access to the Argo platform with root credentials by exploiting each of the vulnerabilities, said Nadav Aharon-Nov, CTO and co-founder at KTrust, in an interview with TechTarget Editorial. This required the additional step of using automated brute-force tools to try many password guesses.

Because of the first vulnerability, KTrust researchers were able to reset the cache system Argo CD uses to track the number of login attempts by overwhelming it with more than 1,000 entries. With the second, researchers overwhelmed the Argo CD application with a DoS attack, which also reset the record of login attempts. The third, which has to do with how applications modify arrays, or lists, of variables via the project's code, can also reset the cache.

After that, it was only a matter of time before the brute-force tools found the correct password, Aharon-Nov said.

"Of course, we know that there is always one admin account, and it's called 'admin.'" Aharon-Nov said. "[Argo] also limits the amount of characters [in a password], so it was just a matter of time."

Argo CD is among the fastest-growing Cloud Native Computing Foundation projects in terms of the number of contributors, with 927 code authors in 2023, according to CNCF's annual report. Nearly half of respondents to a 2021 CNCF survey said they were using or evaluating using Argo. The Argo Project, which came out of Intuit, has more than 6,000 users, including Intuit subsidiary Credit Karma, Capital One, IBM and Electronic Arts.

Patches a long time coming, with disagreements about risk

KTrust disclosed the CVEs under embargo to press last week. At the time, the vulnerabilities were not yet patched by the project upstream, even though the startup first uncovered them in September 2023. However, as of March 17, a group of Argo CD maintainers including Codefresh, Red Hat, Intuit and Akuity had made fixes available.

A successful brute-force [attack] would result in unauthorized access to Argo CD user accounts and whatever permissions are available to those accounts.
Dan GarfieldCo-founder and chief open source officer, Codefresh

"These CVEs impact unprotected Argo CD endpoints in all unpatched versions," wrote Dan Garfield, co-founder and chief open source officer at Codefresh, in a blog post. "A successful brute-force [attack] would result in unauthorized access to Argo CD user accounts and whatever permissions are available to those accounts."

Industry analysts and Argo CD vendors expressed varying views last week about the seriousness of the vulnerabilities, given that broader security best practices could be used to mitigate them even on unpatched systems.

"My perspective is that if you protect your applications and they are not exposed to the broader internet, you would have to be concerned about an internal attacker -- bad things would have to happen to penetrate the private network or VPC [virtual private cloud] first, " said Rob Strechay, lead analyst at TheCube, an enterprise tech media company. "This is a major concern for SaaS services that use Argo CD under the hood, like Akuity and OpsMx."

OpsMx officials said over the weekend that the vulnerabilities are not a concern for its customers, however.

"As long as Argo users are following standard basic security practices, like using [single sign-on] and not making Argo accessible from the public internet, their exposure is minimal," wrote Gopi Rebala, CTO and co-founder at OpsMx, in an email to TechTarget Editorial. "Tools like OpsMx's Deploy Shield security extension for Argo provide additional protection by making CVEs like this visible during the software delivery and deployment process."

Codefresh, which offers cloud-based Argo CD as a service, also said its users were protected in the event of a successful attack on these vulnerabilities.

"For Codefresh GitOps users, this would not [allow] any access to the control plane or additional user data," the vendor's March 17 blog post stated. "Additionally, Codefresh's unique architecture would make attempts to execute these CVEs much more difficult for attackers."

Diagrams comparing a DevOps pipeline vs. a GitOps pipeline.
GitOps tools such as Argo CD have gained popularity over the last four years as an efficient means of maintaining cloud-native apps and infrastructure.

An Argo maintainer from Intuit said the project will use the stalled response to these CVEs to improve the process of coordinating vulnerability disclosures and fixes for the project. But OpsMx's Rebala said the CVEs didn't warrant a more urgent response.

"In some cases like this one, the real-world risk is much lower than what is assigned by NVD [the National Vulnerability Database], which means it has a longer timeline for distributing a fix," he wrote. "In the meantime, announcements like this are just intended to scare users. It really does not help anyone and makes it harder to get people's attention in the future when there is an issue that really does require urgent attention."

But whether Argo CD users in the wild are following suggested security practices is a big if, according to KTrust's Aharon-Nov. Tools hackers commonly use, such as Google dork queries, uncovered Argo CD instances exposed to the internet during KTrust's research.

"Most of these applications [such as Argo] run on Kubernetes, and we rarely see a dedicated VPC just for them," he said. "As long as the person has the Kubernetes stack and the cluster itself configured correctly, it probably won't be exposed. ... But Kubernetes is a very complex dynamic platform ... and a lot of other people open a port but think it's closed."

Without strict separation for the Argo CD app, the risk is that a compromised instance of the GitOps platform could lead to further compromises of Kubernetes clusters and other systems connected to it, said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global.

"Argo CD by its nature has access to different DevOps tools to serve its function as a Kubernetes controller," Kennedy said.

"From Argo CD's perspective, it may seem as though KTrust is generating attention for itself by pointing out security flaws in a popular tool," he added. "This, however, is fairly common in the security industry, and coordinated disclosure or the idea that your tool sets will be subject to unsolicited security testing and feedback as a condition of operating in the marketplace is a fairly established concept."

A 2019 451 Research report commissioned by Veracode and authored by Kennedy cited Google's Project Zero as the originator of the 90-day standard for coordinated vulnerability disclosures. However, most of 1,000 respondents to a 2019 451 Research survey about collaborative disclosure preferred even shorter time frames -- 29% preferred 30 to 60 days, and 36% preferred fewer than 30 days.

"It is important for tool providers and vendors to have established processes around coordinated disclosure, including receiving reports about vulnerabilities and processes for getting back to those reporting the vulnerabilities," Kennedy said.

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out on X, formerly known as Twitter, @PariseauTT.

Dig Deeper on IT systems management and monitoring