Beware! Argo CD Kubernetes GitOps Tool Vulnerability Allows Privilege Escalation

CVECVE-2023-23947
CVSScvssV3_1: 9.1
SourceCVE-2023-23947

Argo CD is a popular open source GitOps continuous delivery tool for Kubernetes. Unfortunately, versions prior to 2.3.17, 2.4.23 and 2.5.11 were found to have a serious authorization bug.

This improper authorization vulnerability could allow any user with permission to update a single cluster secret, to then update any secret in the entire Kubernetes cluster. An attacker could exploit this to escalate their privileges and potentially take control of cluster resources.

Worse still, they could break important Argo CD functionality by preventing it from connecting to external Kubernetes clusters. This would disrupt deployments and cause downtime for applications.

The good news is that the Argo CD developers have released patches in versions 2.6.2 and above to fix this issue. However, if you are running an earlier version, you need to take action now to protect yourself.

The simplest option is to completely revoke all “clusters, update” permissions for non-admin users in the RBAC configuration. Alternatively, you can restrict secret access in the same way as namespaces and cluster resources, using the “destinations” and “clusterResourceWhitelist” fields.

If left unpatched, this authorization bug poses a serious risk. Be sure to upgrade Argo CD immediately or implement the workarounds to prevent privilege escalation attacks on your Kubernetes environment. Your applications’ security depends on it.

References