CVE-2024-31989: Critical Argo CD Flaw Exposes Kubernetes Clusters to Takeover

CVE-2024-31989

Argo CD, a popular GitOps continuous delivery tool for Kubernetes, has disclosed a critical security vulnerability (CVE-2024-31989, CVSS 9.1) that could allow attackers to seize control of Kubernetes clusters. The flaw stems from the use of a Redis cache with insufficient security measures, potentially granting unauthorized access and manipulation of sensitive data.

CVE-2024-31989

The vulnerability stems from the default configuration of the Redis database server, which is not password-protected. This lack of protection allows an attacker with network access to the Redis server to gain read and write permissions. More alarmingly, the attacker can modify the “mfst” (manifest) key, causing Argo CD to execute arbitrary deployments by leveraging Argo CD’s elevated privileges within the cluster.

By updating the “cacheEntryHash” in the manifest JSON, an attacker can generate a new FNV64a hash that matches the new manifest values. Since the cache in Redis is not signed or validated, the repo-server, unable to detect the compromise, will read the altered “mfst” key and initiate an update process for the malicious deployment. This can lead to a complete cluster takeover.

Additionally, the attacker can edit the “app|resources-tree” key, prompting the Argo CD server to load any Kubernetes resource into the live manifest section of the app preview, potentially leading to significant information leakage.

The potential impact of this vulnerability is severe, given Argo CD’s high-level permissions within Kubernetes clusters. Exploitation could result in:

  1. Privilege Escalation: An attacker could escalate their privileges to the level of the cluster controller, gaining full control over the cluster.
  2. Denial of Service: The attacker could disrupt services by causing Argo CD to execute unauthorized deployments.
  3. Information Leakage: Sensitive information could be exposed by manipulating the live manifest section to load unauthorized Kubernetes resources.

The CVE-2024-31989 vulnerability affects anyone who does not have strict access controls on their Redis instance, making it a critical concern for organizations using Argo CD in a default or misconfigured state.

The vulnerability affects a wide range of Argo CD versions, making it crucial for users to take immediate action. The Argo CD project has released patched versions (2.11.1, 2.10.10, 2.9.15, and 2.8.19) that address the issue by enforcing stricter security controls on the Redis cache.

Organizations using Argo CD are strongly advised to upgrade to the patched versions without delay. Additionally, it is essential to review and harden the security of the Redis cache by enabling password protection, encrypting data at rest, and restricting network access to authorized users.