The Upwind research team is constantly monitoring the evolving threat landscape for emerging threats and vulnerabilities, and we recently discovered a new Unauthenticated Access vulnerability in ArgoCDCVE-2024-37152.

While this is only a moderate CVE, our research team found it as part of a toxic combination that included internet exposure. This combination permitted unauthorized access to the /api/v1/settings endpoint without authentication, revealing password properties and lengths that we exploited to manipulate the server.

This finding also comes in addition to another recent ArgoCD discovery made by Upwind that exposed a critical CSRF vulnerability and allowed us to compromise an EKS cluster.

Read on to uncover how we turned CVE-2024-37152 into a gateway for an Advanced Persistent Threat (APT) attack, demonstrating the profound implications of seemingly innocuous security gaps.

Unmasking the Vulnerability: Unauthenticated Access and Its Risk

At the heart of our research was the /api/v1/settings endpoint in ArgoCD, which we found shockingly accessible without any authentication. This endpoint contains sensitive configuration data that should only be visible to authenticated users. From password patterns revealing the expected length and complexity of passwords to deployment settings and security configurations, the exposure was alarming.

{
"appLabelKey": "app.kubernetes.io/instance",
"resourceOverrides": {
"apiextensions.k8s.io/CustomResourceDefinition": {
      "ignoreDifferences": "jqPathExpressions: null\njsonPointers:\n- /status\n- /spec/preserveUnknownFields\nmanagedFieldsManagers: null\n",
      "ignoreResourceUpdates": "jqPathExpressions: null\njsonPointers: null\nmanagedFieldsManagers: null\n"
    }
},
  "googleAnalytics": {
    "anonymizeUsers": true
  },
"kustomizeOptions": {
    "BuildOptions": "",
    "BinaryPath": ""
},
"help": {},
"passwordPattern": "^.{8,32}$"
}

Copied

The Exploit

Leveraging this access was simpler than one might expect. By merely removing the cookie argo.token, we could fetch all sensitive settings. Here’s how we did it:

  1. Initial Access: Send a GET request to /api/v1/settings.
  2. Observation: Notice that the response spills sensitive information without any authentication hurdles.

Armed with this information, we crafted a session manipulation strategy that prevented the system from terminating our unauthorized session, thus maintaining persistent access—a crucial factor in orchestrating more invasive attacks.

Escalating the Attack: From Access to Control

The unauthorized access gave us a baseline to disrupt normal operations and plant deeper footholds within the system. We employed session manipulation techniques to alter session states subtly.

We performed proxy manipulation by using tools like Burp Suite, allowing us to step through the modified requests, and maintain control over the session without triggering alarms.

Through these maneuvers, we were able to transform a simple vulnerability into an essential asset for our attack.

Data Analysis and Brute Force Attack

After obtaining the data, we began to dissect both the algorithm used for generating passwords and the rate limit for requests. We discovered a rate limit of 5 requests per 5 minutes, prompting us to initiate a brute force attack. Further online research revealed that the default password length was typically a string with a minimum length we had identified, averaging 12 characters according to the Kubernetes configuration for ArgoCD versions prior to 1.8. For versions newer than 1.9, the default password length is 16 characters.

AD_4nXcykDrBwDxkcZi31DovcftI1hfPvxPj9AkZZa5Kom-XTPU6fHuzme8v2mQPnoswW08KPih6yZc3g8Y4h1nGn-ZEMwRVZs0mCwgJqmO0MoyrJm9EpobCQlke9RyMP_h_oUwRTG9uLtWRizf3WWnaHyJ0P8nu?key=s0-marvdmj13DM97ahESNA

These methods could enable an Advanced Persistent Threat (APT) to exploit resources using techniques such as timing attacks, denial-of-service (DoS), random cracking, and guessing container names in clusters running versions prior to 1.8. While these attacks are complex and non-trivial, they illustrate the potential risks when moderate vulnerabilities intersect with configuration weaknesses.

We’ve included a demonstration of a DoS attack that modestly increases CPU usage by initiating just 10 threads, illustrating how even minor intrusions can significantly affect your cluster’s performance.

AD_4nXcevudXgvb5OpeuNNNNnkYuDo8rgBIG6rgS9E2gZSc5zA53NQ6zVNBCNW0DyrZbiOlafn2TY8sDYI-EsZx2UI6NhMTus12fyxhmkvawvmxGhJUcvFJHH_tLBs2IwIHTupVQevarRoRhI7pV2wBsO5Hqk1Fe?key=s0-marvdmj13DM97ahESNA

How Upwind Helps Protect Against Toxic Combinations & CVEs

  • Upwind Issues: View your most critical issues and exposed assets, such as ArgoCD, and identify toxic combinations of vulnerabilities, threats and posture findings.
  • Upwind Vulnerability Management: Reduce alert noise and focus on critical risks across infrastructure and applications, including Kubernetes clusters
  • Upwind MDR: Upwind’s industry-leading security team is always monitoring for emerging threats and vulnerabilities, with the Upwind MDR team taking real-time actions to protect your infrastructure and applications from critical vulnerabilities and zero days.

The Broader Implications of CVE-2024-37152

This vulnerability demonstrated how easily privileges could be escalated and core functionalities manipulated, highlighting significant gaps in security practices for DevOps tools. It serves as a reminder that even moderate vulnerabilities can lead to severe consequences if combined with other security oversights.

In response, patches have been released to address this vulnerability in affected ArgoCD versions. However, the key takeaway is clear- organizations must remain vigilant and proactive in securing their infrastructure tools as diligently as they secure their main software products.

Learn More

Want to learn more about how Upwind helps protect your infrastructure and applications from vulnerabilities and toxic combinations? Reach out to us at [email protected] or schedule a demo.