Argo security audit 2022
18th July, 2022
Ada Logics is happy to release the report for our security audit of Argo. The audit was facilitated by OSTIF and sponsored by CNCF and carried out by Ada Logics’ team of researchers. We found several high-severity CVEs which the Argo teams have worked hard to fix since mid May. With the release of the report, all CVEs have been fixed.
Argo is a set of open source tools for Kubernetes to run workflows, manage clusters, and carry out GitOps tasks, and It is adopted by companies like Adobe, Alibaba Group, BMW Group, Capital One, Deloitte, Google, Handelsbanken, IBM, Redhat, Skyscanner, Tesla and many others. CNCF’s annual survey of 2021 found that production use of Argo increases 115% year-on-year which makes the project a critical piece of global infrastructure to secure. Argo was accepted by the CNCF in april 2020.
Findings
Ada Logics found 26 issues across ArgoCD, Argo Workflows and Argo Events. The issues are of various types and levels of exploitability. In this section we cover the findings from a high level.
| CVE | Github Advisory | Severity (CSS) |
|---|---|---|
| CVE-2022-31035 | GHSA-h4w9-6x78-8vrj | Critical (9.0) |
| CVE-2022-31102 | GHSA-pmjg-52h9-72qv | Low (2.6) |
| CVE-2022-31054 | GHSA-5q86-62xr-3r57 | High (7.5) |
| CVE-2022-25856 | GHSA-qpgx-64h2-gc3c | High (7.5) |
| CVE-2022-31036 | GHSA-q4w5-4gq2-98vm | Moderate (4.3) |
| CVE-2022-24904 | GHSA-6gcg-hp2x-q54h | Moderate (4.3) |
| CVE-2022-31016 | GHSA-jhqp-vf4w-rpwq | Moderate (6.5) |
| CVE-2022-31034 | GHSA-2m7h-86qq-fp4v | High (8.3) |
| CVE-2022-31105 | GHSA-7943-82jg-wmw5 | High (8.3) |
XSS
We found a number of cases of XSS in the Argo UI that affected both ArgoCD and Argo Workflows. In Argo Workflows, we found 6 XSS’s, but these would not be affected by untrusted input. In ArgoCD, Two XSS’s were assigned CVE’s with Low and Critical CVSS scores. The Critical CVE would allow a malicious user to inject Javascript into a link in the UI and potentially have an admin user execute the malicious payload. This could lead to vertical privilege escalation to admin level.
The Low severity CVE was a case of stored XSS which is the most dangerous type. Upon triaging the issue, we found that the server encryption key was required to launch the attack which means the attacker could therefore escalate privileges horizontally and not vertically - hence the severity score of Low.
Path traversal vulnerabilities
ArgoCD and Argo Events were both found to be vulnerable to path traversal attacks. In Argo Events, the vulnerability could be exploited through several vectors, for example attacker-controlled git files, a race condition or an attacker-controlled manifest for a Git Trigger Source. Either of these could allow an attacker to read the contents of any file on the server. The vulnerability was scored High (7.5).
Ada Logics team of researchers found 2 cases of path traversal vulnerabilities in ArgoCD. These would allow attackers to read JSON files, manifest files or YAML files on the server. The restriction of file types limits the scope of a given attack, but an attacker could exploit the vulnerabilities to read sensitive files that could result in vertical privilege escalation. Both of these CVEs were scored Moderate.
Denial-of-Service vulnerabilities
Ada Logics’ researchers found several denial-of-service vulnerabilities in both ArgoCD and Argo Events. In ArgoCD, an attacker could make the Argo reposerver read a malicious manifest that would exhaust memory of the machine resulting in denial of service. The vulnerability was scored Moderate (6.5).
Argo Events had a vulnerability of High (7.5) severity that could allow an attacker to send a well-crafted payload and exhaust memory causing denial of service. The following Eventsources were affected:
- AWS SNS
- Bitbucket
- Bitbucket Server
- Gitlab
- Slack
- Storagegrid
- Webhook
Insecure entropy
ArgoCD was using an insecure number generator when a user initiates an SSO login in the ArgoCD CLI which made ArgoCD susceptible to a number of attacks; For example, an attacker could make different attempts to guess the generated parameters and escalate privileges horizontally all the way to full admin. The CVE was scored High (8.3). All versions of Argo CD were vulnerable starting with v0.11.0.
Other findings
The audit resulted in a number of other findings which are included in the final report.
Fuzzing
During the audit, Ada Logics wrote 7 fuzzers and added them to Argos OSS-Fuzz integration. The fuzzers ran during the security audit and continue to run to search for bugs. They found a number of issues during the audit that would have a critical impact on Argo if exploitable. None of the issues could be triggered from untrusted input, and they are tracked via Github issues.
Ada Logics is no stranger to fuzzing the Argo projects; Earlier in 2022, we carried out a fuzzing audit of Argo where 41 fuzzers were written covering ArgoCD, Argo Events, Argo Rollouts, Argo Workflows and GitOps Engine. The fuzzing audit resulted in 10 bugs being found, triaged and fixed, and the fuzzers run continuously via the OSS-Fuzz service. Read more about Argos fuzzing audit here: https://akuity.io/blog/argo-security-automation-with-oss-fuz/.
Securing the Cloud - and the Edge
The Argo security audit follows a series of previous audits of CNCF projects carried out by Ada Logics. Links to previous audits:
- FluxCD [announcement] [report]
- CRI-O [announcement] [report]
- KubeEdge [announcement] [report]
Ada Logics is a major contributor to securing the cloud native landscape through fuzzing. Our team of researchers have written hundreds of fuzzers that run on the OSS-Fuzz service and cover critical projects such as Kubernetes, etcd, Helm, Argo, Cilium, Flux, Containerd, Runc and more. Read more about that work here: https://www.cncf.io/blog/2022/06/28/improving-security-by-fuzzing-the-cncf-landscape/.
Links
- Full audit report: https://github.com/argoproj/argoproj/tree/master/docs/argo_security_audit_2022.pdf
- Argo announement: https://blog.argoproj.io/2022-argo-external-security-audit-lessons-learned-951f80e0450d
- OSTIF announcement: https://ostif.org/our-audit-of-argo-is-complete-critical-and-high-severity-security-issues-found-and-fixed/