CVE-2023-40029 in Argo CD lets attackers view the full contents of a cluster secret

CVE-2023-40029

Argo CD, a leading GitOps continuous delivery tool for Kubernetes, has been in the spotlight recently – and not for the right reasons. Two major security vulnerabilities were recently identified that pose serious risks to users. As organizations increasingly rely on GitOps tools like Argo CD to manage their Kubernetes deployments, understanding and mitigating these vulnerabilities becomes paramount.

The first vulnerability (CVE-2023-40029, CVSS score of 9.9) allows an attacker to view the full contents of a cluster secret. Cluster secrets are used to store sensitive information, such as bearer tokens and passwords. If an attacker can view the contents of a cluster secret, they could gain access to sensitive data or even take control of your Kubernetes cluster.

Argo CD allows for the declarative management of Cluster secrets, a process typically carried out via Argo CD or kubectl apply. However, due to the nature of its storage system – specifically within the kubectl.kubernetes.io/last-applied-configuration annotation – the full body of these secrets is accessible.

A change introduced in #7139 inadvertently exposed the sensitive kubectl.kubernetes.io/last-applied-configuration annotation, containing the complete secret body. To make matters worse, with the right permissions (clusters, get RBAC access), one can view these annotations via the Argo CD API.

It’s worth noting that not all cluster secrets are sensitive. Many times, these secrets may not contain information that’s deemed confidential. However, there are exceptions like bearer-token authentication, where the information is highly sensitive.

The CVE-2023-40029 vulnerability has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users should update and deploy the cluster secret with the server-side-apply flag, ensuring they don’t rely on the problematic annotation. Manual removal is necessary for annotations linked to existing secrets.

The second vulnerability (CVE-2023-40584, CVSS score of 6.5) allows an attacker to cause a Denial-of-Service (DoS) attack against the Argo CD repo-server. The repo-server is responsible for downloading and storing application manifests from Git repositories. If an attacker can send a malicious tar.gz file to the repo-server, it could cause the repo-server to crash or become unresponsive.

Versions of ArgoCD starting from v2.4 have been found to contain a debilitating bug, rendering the ArgoCD repo-server component vulnerable to a Denial-of-Service (DoS) attack. The crux of the vulnerability lies in the server’s naive approach to extracting user-controlled tar.gz files. Without validating the size of these files, malicious actors can effectively send malicious tar.gz files to the repo-server. This not only impacts system functionality but also its availability.

Another related vulnerability pertains to the repo-server’s behavior post extraction: it doesn’t verify extracted file permissions prior to deletion. This opens up a scenario where an attacker can curate a tar.gz archive to resist file deletion post-manifest generation.

This vulnerability has been patched in versions v2.6.15, v2.7.14, and v2.8.3. Organizations should adopt robust RBAC configurations and restrict application configuration access to a select group of administrators. It’s also crucial that these administrators work exclusively with trusted Helm charts.