CVE-2023-23947
📋 TL;DR
Argo CD versions 2.3.0-rc1 through 2.6.1 contain an improper authorization vulnerability that allows users with cluster secret update permissions to modify any cluster secret. This affects organizations using Argo CD for Kubernetes deployments where users have been granted limited cluster secret management access.
💻 Affected Systems
- Argo CD
📦 What is this software?
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
⚠️ Risk & Real-World Impact
Worst Case
Attackers could escalate privileges to control Kubernetes resources across clusters, potentially compromising entire infrastructure or deploying malicious workloads.
Likely Case
Unauthorized modification of cluster secrets leading to broken connections to external clusters, disrupting GitOps workflows and deployment pipelines.
If Mitigated
Limited to authorized users with existing cluster secret update permissions, reducing attack surface to internal threats.
🎯 Exploit Status
Exploitation requires authenticated access with at least one cluster secret update permission. The vulnerability is straightforward to exploit once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.2, 2.5.11, 2.4.23, or 2.3.17
Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j
Restart Required: Yes
Instructions:
1. Backup current Argo CD configuration. 2. Update to patched version using your deployment method (Helm, kubectl, etc.). 3. Restart Argo CD components. 4. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Revoke cluster update permissions
allModify RBAC configuration to remove all 'clusters, update' access from users
kubectl edit rolebinding -n argocd
kubectl edit clusterrolebinding -n argocd
Use destinations and clusterResourceWhitelist
allApply restrictions using destinations and clusterResourceWhitelist fields similar to namespaces and clusterResources fields
Modify Argo CD Application/AppProject manifests to include appropriate restrictions
🧯 If You Can't Patch
- Implement strict RBAC controls to minimize users with cluster secret update permissions
- Enable audit logging for all cluster secret modifications and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Argo CD version: kubectl get deployment argocd-server -n argocd -o jsonpath='{.spec.template.spec.containers[0].image}'Check Version:
kubectl get deployment argocd-server -n argocd -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9.]*'Verify Fix Applied:
Confirm version is 2.6.2, 2.5.11, 2.4.23, or 2.3.17 using same command📡 Detection & Monitoring
Log Indicators:
- Unauthorized cluster secret modifications
- Multiple cluster secret updates from single user in short timeframe
- Failed cluster connections after secret changes
Network Indicators:
- Unusual API calls to cluster secret endpoints
- Increased traffic to Argo CD API from unexpected sources
SIEM Query:
source="argocd" AND ("clusters" AND "update") AND NOT user IN ["authorized_users_list"]🔗 References
- https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j
- https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j
