Argo CD Patched Critical Authentication Bypass Vulnerability
A critical vulnerability has been discovered in Argo CD, allowing unauthenticated users to impersonate as any Argo CD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request.
The vulnerability dubbed CVE-2022-29165 was found in Argo CD up to 2.1.14/2.2.8/2.3.3 and has been classified as critical with the CVSS score of 10.0.
In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. But in a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in admin account regardless of whether that account is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this.
Brief about Argo CD?
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It continuously monitors running applications and compares the current real-time state to the desired target state (such as the configuration in a Git repository), automatically syncing and deploying applications when the Git repository changes.
About CVE-2022-29165 vulnerability?
Affected versions of Argo CD can easily bypass authentication by sending a specially crafted JSON Web Token (JWT) with the request because ARGO-CD will trust invalid JWTs. An unauthenticated attacker could exploit this vulnerability to impersonate any Argo CD user or role, including the built-in administrator account, whether that account is enabled or disabled.
If anonymous access to the instance is enabled, an attacker can:
- Escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster-admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster.
- Exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API
Mitigation or Workarounds to fix
As in a default Argo CD installation, anonymous access is disabled, hence for successful exploitation of the vulnerability anonymous access to the Argo CD instance must be enabled.
To find out if anonymous access is enabled in your instance you can query the argocd-cm ConfigMap in the Argo CD's installation namespace. The below example assumes you have installed Argo CD to the argocd namespace:
$ kubectl get -n argocd cm argocd-cm -o jsonpath='{.data.users\.anonymous\.enabled}'
If the result of this command is either empty or "false", anonymous access to that instance is not enabled. If the result is "true", your instance is vulnerable.
To disable anonymous access, patch the argocd-cm ConfigMap to either remove the users.anonymous.enabled field or set this field to "false".
To set the field to "false", just hit the below command.
$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"add", "path":"/data/users.anonymous.enabled", "value":"false"}]'
The vulnerability has been discovered by Mark Pim and Andrzej Hajto who responsibly reported the issue to the Argo project team. The exploitability of the vulnerability is told to be easy and can be exploited remotely.
At the time of writing, there is no exploit code not available yet nor technical details.
Join the conversation