CVE-2024-31989: Argo CD Redis Server Vulnerability - Privilege Escalation and Information Leakage Exploit Details

Argo CD is a widely used, declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability has been discovered in Argo CD that affects the Redis server, allowing unprivileged pods in different namespaces on the same cluster to connect to it. This vulnerability, tagged as CVE-2024-31989, could lead to Privilege Escalation and Information Leakage if left unpatched or without proper access controls. The issue has been fixed in Argo CD version(s) 2.8.19, 2.9.15, and 2.10.10.

Background

This exploit takes advantage of a misconfiguration in Argo CD's VPC CNI plugin while running on an Amazon EKS cluster. To enforce network policies for Redis, the CNI plugin must be manually enabled through configuration. Many clients might overlook this step, resulting in an open access vulnerability for their Redis servers.

Exploit Details

By connecting to the Redis server on port 6379, an unprivileged pod in a different namespace can gain escalated privileges to the level of cluster controller. This exploit allows the attacker to exfiltrate sensitive information from the cluster by exploiting the open access vulnerability.

Here's a code snippet to understand how this exploit works

kubectl run rogue-pod -it --rm --image redis -- bash

# Inside the rogue pod
redis-cli -h <ARGOCD_REDIS_SERVICE_IP> ping
redis-cli -h <ARGOCD_REDIS_SERVICE_IP> KEYS "*"

In this snippet, a rogue Kubernetes pod is spun up using the Redis image. Once inside the pod, the redis-cli is utilized to connect to the Argo CD Redis service using its IP address and subsequently perform commands like ping and KEYS, which may expose sensitive information.

To mitigate this vulnerability, follow these steps

1. Upgrade Argo CD to version(s) 2.8.19, 2.9.15, or 2.10.10. Refer to the official Argo CD releases link for download and installation instructions.

2. Enable the VPC CNI plugin to enforce network policies for Redis. Refer to the official Amazon VPC CNI plugin documentation for configuration instructions.

3. As an additional security measure, make sure to have strict access controls in place for your Redis instances to prevent unauthorized access.

Conclusion

In summary, CVE-2024-31989 is a vulnerability that affects Argo CD clients running on Amazon EKS clusters. This issue arises due to a misconfiguration in the VPC CNI plugin, which needs to be manually enabled for enforcing network policies on Redis. Affected users should update their Argo CD instances to the patched versions and configure the CNI plugin to prevent potential Privilege Escalation and Information Leakage.

Timeline

Published on: 05/21/2024 19:15:09 UTC
Last modified on: 06/06/2024 17:10:15 UTC