CVE-2022-24348
📋 TL;DR
This vulnerability in Argo CD allows attackers to perform directory traversal attacks through malicious Helm charts, potentially accessing sensitive files like credentials stored in YAML files. It affects Argo CD deployments using Helm charts for application deployment. Organizations using vulnerable Argo CD versions for Kubernetes deployments are at risk.
💻 Affected Systems
- Argo CD
📦 What is this software?
Argo Cd by Argoproj
Argo Cd by Argoproj
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all credentials stored in YAML files, compromise the entire Kubernetes cluster, and potentially pivot to other systems using stolen credentials.
Likely Case
Attackers with access to deploy Helm charts could steal specific credentials from YAML files, leading to partial cluster compromise and data exposure.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the specific Argo CD instance and its accessible resources.
🎯 Exploit Status
Exploitation requires ability to deploy Helm charts to Argo CD. Public proof-of-concept demonstrates credential extraction from YAML files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Argo CD 2.1.9 or 2.2.4
Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7
Restart Required: Yes
Instructions:
1. Backup your Argo CD configuration. 2. Update Argo CD to version 2.1.9 or 2.2.4 using your deployment method (Helm, kubectl, etc.). 3. Restart Argo CD components. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Helm Chart Sources
allOnly allow Helm charts from trusted, verified repositories and implement strict access controls on who can deploy charts.
Implement Network Segmentation
allIsolate Argo CD deployments from sensitive systems and implement strict network policies to limit potential lateral movement.
🧯 If You Can't Patch
- Implement strict RBAC to limit who can deploy Helm charts to only trusted users
- Monitor for suspicious file access patterns and Helm chart deployments from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check Argo CD version: kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].spec.containers[0].image}'Verify Fix Applied:
Confirm version is 2.1.9 or higher (for 2.1.x) or 2.2.4 or higher (for 2.2.x) using the same command📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in Argo CD logs
- Helm chart deployments from untrusted sources
- Errors related to path traversal in repository.go
Network Indicators:
- Unexpected outbound connections from Argo CD pods
- Data exfiltration patterns
SIEM Query:
source="argocd" AND ("directory traversal" OR "path traversal" OR "helmTemplate" OR "repository.go")🔗 References
- https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7
- https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7
