Argo Unveils Three Critical Vulnerabilities
Security researchers have uncovered three critical vulnerabilities within Argo, a widely used GitOps continuous delivery tool in Kubernetes setups. Discovered by KTrust’s in-house researchers, these vulnerabilities pose significant risks to system security, including bypassing rate limit and brute force protection mechanisms, triggering denial of service (DoS) attacks, and compromising user account safety.
The first vulnerability, identified as CVE-2024-21662, involves bypassing rate limits and brute force protection by overwhelming the cache system. This action resets the protections, leaving the system vulnerable to attacks. KTrust researchers demonstrated this vulnerability by flooding the system with login attempts across various user accounts, causing the cache to exceed its capacity and discard older entries, including failed login attempts.
The second vulnerability, CVE-2024-21652, exploits weaknesses to bypass brute force protection through application crashes, resulting in the loss of in-memory data. This allows for repeated login attempts without restriction.
The third vulnerability, CVE-2024-21661, poses a high-severity risk by enabling DoS attacks due to improper array manipulation in a multi-threaded environment. This flaw occurs during array modification while being iterated over.
Nadav Aharon-Nov, CTO and co-founder of KTrust, reported these vulnerabilities to Argo in September 2023. Argo plans to address these issues in a forthcoming version of its product. Aharon-Nov emphasized the importance of swiftly addressing these loopholes to prevent potential security breaches in affected systems.
As of the current moment, Argo has not provided an immediate response regarding these vulnerabilities despite contact attempts by Infosecurity.
Defensive strategies for Kubernetes environments include implementing robust access controls, regularly updating software components, employing network segmentation, and conducting routine security audits and assessments.
For Further Reference