Researchers last week disclosed a software supply chain zero-day vulnerability in Argo CD — the open source continuous delivery platform — that lets attackers access sensitive information, including passwords and API keys.

In a blog post, Apiiro researchers said the vulnerability — CVE-2022-24348 — lets malicious actors load a Kubernetes Helm Chart YAML file to the vulnerability and “hop” from their application to other application data outside of the user’s scope to launch other attacks, including privilege escalation and lateral movement.  

DevOps engineers use Argo CD to facilitate continuous delivery of infrastructure and applications, particularly instantiating and maintaining Kubernetes clusters and running workloads, said Michael Isbitski, technical evangelist at Salt Security. Isbitski said it’s possible for an attacker to insert malicious code within a Helm chart, a specific type of YAML-formatted infrastructure-as-code, and traverse directories within a Kubernetes cluster that are outside the boundaries of what should normally be accessible because of how Argo CD was parsing Helm charts.

“An attacker would in turn be able to read any data off referenced file systems or repositories used by the cluster,” Isbitski said. “Those data sources can include many types of sensitive data like password files or API keys. API keys are often used to facilitate machine communication, and they’re frequently used in systems integration where traditional user authentication mechanisms aren’t feasible. Unfortunately, API keys are the equivalent of valid login credentials. Attackers can harvest API keys when examining source code, compiled code, or configuration files. In turn, the API keys grant access to APIs that provide critical and often sensitive functionality and data. Ideally, organizations pair API keys with other authentication factors to improve the strength of their application and system access controls.”

We are seeing more advanced persistent threats that leverage zero-days and known, unmitigated vulnerabilities in software supply chain software such as Argo CD, said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. Bar-Dayan said for years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk. But hackers are always looking for the most effective path of least resistance to attain their objectives.

“A recent rash of APTs that leverage a supply chain zero-day vulnerability daisy-chained with known, unmitigated vulnerabilities, demonstrates how hackers are becoming increasingly sophisticated and opportunistic,” Bar-Dayan said. “Obviously, the SolarWinds hack was the most notorious APT to use the software supply chain as the main attack vector. We need to do better as an industry before our cyber debt sinks us. Apiiro and Argo have taken the right steps to help Argo customers reduce the risk associated with CVE-2022-24348, but now IT security teams must collaborate and do the work to protect their development environments and software supply chains from threat actors.”