===================================================================                                CERT-Renater

                      Note d'Information No. 2023/VULN311

_____________________________________________________________________

DATE                : 12/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Argo CD (Go) versions prior to
                                    2.8.3, 2.7.14, 2.6.15.

====================================================================https://github.com/argoproj/argo-cd/security/advisories/GHSA-fwr2-64vr-xv9m
https://github.com/argoproj/argo-cd/security/advisories/GHSA-g687-f2gx-6wm8
_____________________________________________________________________

Cluster secret might leak in cluster details page
Critical
jannfis published GHSA-fwr2-64vr-xv9m
Package
github.com/argoproj/argo-cd (Go)

Affected versions
2.2.0 through 2.6.14, 2.7.113, 2.8.2

Patched versions
2.8.2, 2.7.14, 2.6.15


Description

Impact

Argo CD Cluster secrets might be managed declaratively using
Argo CD / kubectl apply. As a result, the full secret body is
stored inkubectl.kubernetes.io/last-applied-configuration annotation.

#7139 introduced the ability to manage cluster labels and
annotations. Since clusters are stored as secrets it also exposes
the kubectl.kubernetes.io/last-applied-configuration annotation
which includes full secret body. In order to view the cluster
annotations via the Argo CD API, the user must have clusters, get
RBAC access.

Note: In many cases, cluster secrets do not contain any
actually-secret information. But sometimes, as in bearer-token
auth, the contents might be very sensitive.


Patches

The bug has been patched in the following versions:

     2.8.3
     2.7.14
     2.6.15


Workarounds

Update/Deploy cluster secret with server-side-apply flag which does
not use or rely on kubectl.kubernetes.io/last-applied-configuration
annotation. Note: annotation for existing secrets will require manual
removal.


For more information

     Open an issue in the Argo CD issue tracker or discussions
     Join us on Slack in channel #argo-cd


Severity
Critical

9.9/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
Low

User interaction
None

Scope
Changed

Confidentiality
High

Integrity
High

Availability
Low

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CVE ID
CVE-2023-40029

Weaknesses
No CWEs


Credits

     @alexmt alexmt
_____________________________________________________________________

Denial of Service to Argo CD repo-server
Moderate
jannfis published GHSA-g687-f2gx-6wm8
github.com/argoproj/argo-cd (Go)

Affected versions
> v2.4

Patched versions
v2.6.15, 2.7.14, 2.8.3


Description

Impact

All versions of ArgoCD starting from v2.4 have a bug where the
ArgoCD repo-server component is vulnerable to a Denial-of-Service
attack vector. Specifically, the said component extracts a
user-controlled tar.gz file without validating the size of its
inner files. As a result, a malicious, low-privileged user can
send a malicious tar.gz file that exploits this vulnerability
to the repo-server, thereby harming the system's functionality
and availability. Additionally, the repo-server is susceptible
to another vulnerability due to the fact that it does not check
the extracted file permissions before attempting to delete them.
Consequently, an attacker can craft a malicious tar.gz archive
in a way that prevents the deletion of its inner files when
the manifest generation process is completed.


Patches

A patch for this vulnerability has been released in the
following Argo CD versions:

     v2.6.15
     v2.7.14
     v2.8.3


Workarounds

The only way to completely resolve the issue is to upgrade.


Mitigations

Configure RBAC (Role-Based Access Control) and provide access
for configuring applications only to a limited number of
administrators. These administrators should utilize trusted
and verified Helm charts.


For more information

If you have any questions or comments about this advisory:

     Open an issue in the Argo CD issue tracker or discussions
     Join us on Slack in channel #argo-cd


Credits

This vulnerability was found & reported by GE Vernova – Amit Laish.

The Argo team would like to thank these contributors for their
responsible disclosure and constructive communications during
the resolve of this issue


Severity
Moderate

6.5/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
Low

User interaction
None

Scope
Unchanged

Confidentiality
None

Integrity
None

Availability
High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2023-40584

Weaknesses
No CWEs


Credits

     @amit-laish amit-laish


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================