ArgoCD Security Considerations

 As a deployment tool, Argo CD needs to have production access which makes security a very important topic. The Argoproj team takes security very seriously and continuously working on improving it. Learn more about security related features in Security section.

Overview of past and current issues

The following table gives a general overview about past and present issues known to the Argo CD project. See in the Known Issues section if there is a work-around available if you cannot update or if there is no fix yet.

DateCVETitleRiskAffected version(s)Fix version
2020-06-16CVE-2020-1747PyYAML library susceptible to arbitrary code executionHighallv1.5.8
2020-06-16CVE-2020-14343PyYAML library susceptible to arbitrary code executionHighallv1.5.8
2020-04-14CVE-2020-5260Possible Git credential leakHighallv1.4.3,v1.5.2
2020-04-08CVE-2020-11576User EnumerationMediumv1.5.0v1.5.1
2020-04-08CVE-2020-8826Session-fixationHighalln/a
2020-04-08CVE-2020-8827Insufficient anti-automation/anti-brute forceHighall <= 1.5.3v1.5.3
2020-04-08CVE-2020-8828Insecure default administrative passwordHighall <= 1.8.01.8.0
2020-04-08CVE-2018-21034Sensitive Information DisclosureMediumall <= v1.5.0v1.5.0

Known Issues And Workarounds

A recent security audit (thanks a lot to Matt Hamilton of https://soluble.ai ) has revealed several limitations in Argo CD which could compromise security. Most of the issues are related to the built-in user management implementation.

CVE-2020-1747, CVE-2020-14343 - PyYAML library susceptible to arbitrary code execution

Summary:

RiskReported byFix versionWorkaround
Highinfa-kparidav1.5.8No

Details:

PyYAML library susceptible to arbitrary code execution when it processes untrusted YAML files. We do not believe Argo CD is affected by this vulnerability, because the impact of CVE-2020-1747 and CVE-2020-14343 is limited to usage of awscli. The awscli only used for AWS IAM authentication, and the endpoint is the AWS API.

CVE-2020-5260 - Possible Git credential leak

Summary:

RiskReported byFix versionWorkaround
CriticalFelix Wilhelm of Google Project Zerov1.4.3,v1.5.2Yes

Details:

Argo CD relies on Git for many of its operations. The Git project released a security advisory on 2020-04-14, describing a serious vulnerability in Git which can lead to credential leakage through credential helpers by feeding malicious URLs to the git clone operation.

We do not believe Argo CD is affected by this vulnerability, because ArgoCD does neither make use of Git credential helpers nor does it use git clone for repository operations. However, we do not know whether our users might have configured Git credential helpers on their own and chose to release new images which contain the bug fix for Git.

Mitigation and/or workaround:

We strongly recommend to upgrade your ArgoCD installation to either v1.4.3 (if on v1.4 branch) or v1.5.2 (if on v1.5 branch)

When you are running v1.4.x, you can upgrade to v1.4.3 by simply changing the image tags for argocd-serverargocd-repo-server and argocd-controller to v1.4.3. The v1.4.3 release does not contain additional functional bug fixes.

Likewise, hen you are running v1.5.x, you can upgrade to v1.5.2 by simply changing the image tags for argocd-serverargocd-repo-server and argocd-controller to v1.5.2. The v1.5.2 release does not contain additional functional bug fixes.

CVE-2020-11576 - User Enumeration

Summary:

RiskReported byFix versionWorkaround
MediumMatt Hamilton of https://soluble.aiv1.5.1Yes

Details:

Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts within Argo.

Mitigation and/or workaround:

Upgrade to ArgoCD v1.5.1 or higher. As a workaround, disable local users and use only SSO authentication.

CVE-2020-8828 - Insecure default administrative password

Summary:

RiskReported byFix versionWorkaround
HighMatt Hamilton of https://soluble.ai1.8.0Yes

Details:

Argo CD uses the argocd-server pod name (ex: argocd-server-55594fbdb9-ptsf5) as the default admin password.

Kubernetes users able to list pods in the argo namespace are able to retrieve the default password.

Additionally, In most installations, the Pod name contains a random "trail" of characters. These characters are generated using a time-seeded PRNG and not a CSPRNG. An attacker could use this information in an attempt to deduce the state of the internal PRNG, aiding bruteforce attacks.

Mitigation and/or workaround:

The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password should only be used for initial configuration and then disabled or at least changed to a more secure password.

CVE-2020-8827 - Insufficient anti-automation/anti-brute force

Summary:

RiskReported byFix versionWorkaround
HighMatt Hamilton of https://soluble.ain/aYes

Details:

ArgoCD before v1.5.3 does not enforce rate-limiting or other anti-automation mechanisms which would mitigate admin password brute force.

Mitigation and/or workaround:

Rate-limiting and anti-automation mechanisms for local user accounts have been introduced with ArgoCD v1.5.3.

As a workaround for mitigation if you cannot upgrade ArgoCD to v1.5.3 yet, we recommend to disable local users and use SSO instead.

CVE-2020-8826 - Session-fixation

Summary:

RiskReported byFix versionWorkaround
HighMatt Hamilton of https://soluble.ain/aYes

Details:

The authentication tokens generated for built-in users have no expiry.

These issues might be acceptable in the controlled isolated environment but not acceptable if Argo CD user interface is exposed to the Internet.

Mitigation and/or workaround:

The recommended mitigation is to change the password periodically to invalidate the authentication tokens.

CVE-2018-21034 - Sensitive Information Disclosure

Summary:

RiskReported byFix versionWorkaround
MediumMatt Hamilton of https://soluble.aiv1.5.0No

Details:

In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.

Mitigation and/or workaround:

Upgrade to ArgoCD v1.5.0 or higher. No workaround available

Reporting Vulnerabilities

Please have a look at our security policy for more details on how to report security vulnerabilities for Argo CD.

Comments

Post a Comment

Popular posts from this blog

Terraform

Image
  Terraform is an infrastructure as code tool that lets you build, change, and version cloud and on-prem resources safely and efficiently. HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features. How does Terraform work? Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API. HashiCorp and the Terraform community have already written  thousands of providers  to manage many different types of resources and services.
Read more

Scrum Master Interview help - Bootcamp

Understanding the MoSCoW prioritization | How to implement it into your project Projects, irrespective of their size or complexity, often juggle numerous tasks and requirements. In such a scenario,  MoSCoW prioritization  becomes essential to ensure the successful completion of the project.  Besides, it is also a very effective way to manage project priorities. With a straightforward and adaptable approach, the MoSCoW method helps manage stakeholder expectations and improve project outcomes. What is the MoSCoW prioritization technique?  The MoSCoW method is a prioritization matrix widely used in project management and software development. The term MoSCoW is an acronym that stands for  Must have ,  Should have ,  Could have , and  Won’t have , each denoting a level of priority. Here is the breakdown of the MoSCoW method:  Must have:  These are critical requirements that the project cannot be completed without them. If these are not fulfilled, the project is con
Read more

Kubernetes

  Using containers to host applications and other processes has gone mainstream. As more and more workload is moved into containers, management systems are needed to handle the demands of containerized applications at scale. One of the most popular options for managing  container-based workload is Kubernetes . Kubernetes combines container management automation with an extensible API to create a cloud-native application management powerhouse. At its core, Kubernetes manages the placement of pods, which can consist of one or more containers, on a Kubernetes cluster node. Additionally, if one of these pods crashes, Kubernetes can create a new instance of it. If a cluster node is removed, Kubernetes can move any affected workload to a different node in the cluster. On top of that, Kubernetes pods can be scaled to provide more or less throughput to meet scale demands and these scale operations can be triggered manually or automatically using Kuberentes horizontal pod auto-scaling. Finally,
Read more