Major vulnerability found in open source dev tool for Kubernetes

Join online with today’s leading executives at the Data Summit on March 9th. Register here.

Researchers today revealed a zero-day vulnerability in Argo CD, an open source developer tool for Kubernets with a “high” severity rating.

The vulnerability (CVE-2022-24348) was discovered by a research team at the cloud-native application protection firm Apiiro. The company says it reported the weakness of the open source Argo project before announcing the flaw on its blog today. Patches are now available, Apiro said.

Argo CD is a continuous delivery platform for developers using Kubernets, the dominant container orchestration system.

Exploiting vulnerabilities in Argo CDs could allow an attacker to access sensitive information સહિત including passwords, secrets, and API keys ઉપયોગ using malicious Cubernets helmet charts, Moshe Zioni, vice president of security research at Epiro, said in a blog post. Helm charts are YAML files used to manage the Kubernetes application.

Zioni said the vulnerability has been given a “high” (7.7) severity rating, although as of this writing, the National Institute of Standards and Technology (NIST) website has not yet posted a rating.

In an email to VentureBeat, Zioni said the vulnerability could potentially have a “very significant impact on the industry” as Argo CDs are used by thousands of organizations. The open source project has more than 8,300 stars on GitHub.

According to Intuit, the Argo CD platform enables automated deployments for applications taking advantage of declarative specifications as well as GitHub. The company donated the project to the Cloud Native Computing Foundation in 2020 after acquiring its maker, Appletix, in 2018.

Potential threats

The newly revealed flaw in the Argo CD “allows malicious artists to load the Cubernetus helmet chart YAML file for vulnerabilities and ‘hop’ data from other applications from their application ecosystem outside the user’s workspace,” Zioni said in an Epero blog post.

Thus, attackers can “read and extract secrets, tokens and other sensitive information contained on another application,” he said. Exploitation of vulnerabilities can lead to an increase in privileges, side movements and the disclosure of sensitive information, Zioni said in the post.

Application files “usually contain a range of secrets, tokens, and transition values ​​of environmentally sensitive settings,” he said. “This can be effectively used by the attacker to further expand his or her campaign by advancing the various services later and increasing their privileges to gain more space for the system and the target organization’s resources.”

Zioni said the Argo CD team responded “quickly” after being notified of the vulnerability.

Open source security

Weaknesses in the Argo CD have been revealed amid growing concerns about the prevalence of insecure software supply chains. High-profile incidents include solarwinds and cassava breaches, while overall attacks involving software supply chains increased by more than 300% in 2021, Aqua Security reports.

Meanwhile, open source vulnerabilities such as the Apache Log4j logging library and widespread flaws in the Linux polkit program have underscored the issue. On Monday, the Open Source Security Foundation announced a new project designed to secure a સપ્ 5 million software supply chain backed by Microsoft and Google.

Yaniv Bar-Dayan, co-founder and CEO of cybersecurity risk management vendor Vulcan Cyber, said: “We are seeing more and more sophisticated constant threats that take advantage of zero days and take advantage of known, unreliable vulnerabilities in software supply chain platforms such as Argo CD.” Venturebeat.

“We need to do better as an industry before our cyber debt sinks,” Bar-Dayan said. “IT security teams should collaborate and work to protect their development environment and software supply chain from dangerous artists.”

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.