After a zero-day vulnerability was discovered in the Argo continuous deployment (CD) tool for Kubernetes, users are advised to push through updates. The vulnerability might allow an attacker to extract sensitive information like API credentials and passwords.
The bug, dubbed CVE-2022-24348 (CVSS score of 7.7), affects all versions. It was fixed in versions 2.3.0, 2.2.4, and 2.1.9. On January 30, 2022s, Apiiro, a cloud security startup, was credited with detecting and reporting the flaw. Continuous deployment, also known as continuous delivery, is a procedure for automatically deploying all code changes to the testing or/and production environments once they have been thoroughly tested and merged into a shared repository.
Alibaba Group, Deloitte, Gojek, BMW Group, LexisNexis, IBM, Intuit, Skyscanner, Red Hat, Ticketmaster, and Swisscom are among the 191 companies that use Argo CD. According to Moshe Zioni, Apiiro’s VP of security research, the path-traversal vulnerability “allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope.”
Malicious Kubernetes Helm Chart YAML files, which provide a set of Kubernetes resources necessary to launch an application, can be loaded into the target system by bad actors, allowing them to retrieve private information from other apps. Successfully exploiting the flaw might result in catastrophic implications ranging from privilege escalation and sensitive data exposure to lateral movement attacks and token exfiltration from other applications.
Following recent attacks on SolarWinds, Kaseya, and Log4j, the software supply chain has emerged as a critical security problem. Intezer revealed in July 2021 that attackers are deploying crypto miners in Kubernetes (K8s) clusters by exploiting misconfigured Argo Workflows instances.