KTrust Reveals Three CVEs in Argo CD for Kubernetes
Tel Aviv, Israel, March 18 2024 - KTrust, a pioneer in continuous threat exposure for Kubernetes (K8s) environments, today announced that researchers in their in-house lab identified three CVEs in Argo, a declarative, GitOps continuous delivery tool for Kubernetes. Risks include: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024- 21662), Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652) and Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multithreaded Environment (CVE-2024-21661)
“We brought these vulnerabilities to the attention of Argo in September 2023 and they are planning to mitigate the risks in a future version of the product.” said Nadav Aharon-Nov, CTO and Co-founder, KTrust. “This discovery highlights our ability to exploit vulnerabilities in systems believed to be secure and serves as a critical reminder for developers and security professionals to continuously update and strengthen their security protocols. Addressing this loophole swiftly is essential to prevent potential security breaches in affected systems.”
Details of the discovered CVEs are as follows:
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024- 21662) Severity: Moderate
The vulnerability is present in applications using cache-based mechanisms for rate limit and brute force protections. This weakness allows bad actors to bypass these security measures by overloading the cache system.
The vulnerability lies in the application's cache system, designed to track user login attempts.This cache has a maximum capacity of 1000 entries ( defaultMaxCacheSize ). In discovering the issue, researchers at KTrust exploited this limitation by inundating the system with login attempts across various user accounts. This flood of attempts exceeded the cache's capacity, forcing it to discard older entries, including the failed login attempts of the admin account. As a result, the rate limit for the admin account was reset, leaving it exposed to further attacks. The brute force protection mechanism's code:
if failed && len(failures) >=
getMaximumCacheSize()
{log.Warnf("Session cache size
exceeds %d entries, removing random
entry",getMaximumCacheSize())
idx := rand.Intn(len(failures)
- 1)
var rmUser string
i := 0
for key := range failures {
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652) Severity: Moderate
KTrust identified a method to bypass the brute force login protection in an application by exploiting a combination of vulnerabilities. This involves triggering a Denial of Service (DoS) attack that crashes the application, exploiting the in-memory data storage of failed login attempts. The crash effectively clears the record of failed logins, resetting the brute force protections and making user accounts vulnerable to repeated login attempts.
Their strategy exploits two primary weaknesses:
- Application Crash through Unsafe Array Handling: KTrust leveraged a known DoS vulnerability, stemming from improper handling of arrays in a multi-threaded environment, to crash the application.
- In-Memory Storage of Login Attempts: The application’s failure to store failed login attempts persistently plays to the benefit of an attacker. When it crashes and restarts, the data loss resets any brute force protection measures. // LoginAttempts is a timestamped counter for failed login attempts type LoginAttempts struct { // Time of the last failed login LastFailed time.Time `json:"lastFailed"` // Number of consecutive login failures FailCount int `json:"failCount"`
By combining these vulnerabilities, a hacker can continuously reset the login attempt counter, effectively bypassing any brute force restrictions. This tactic poses a significant security threat. It allows an attacked to disrupt the service for all users and repeatedly attempt logins without limitations. The risk of unauthorized account access is substantially increased, demonstrating the critical nature of these vulnerabilities and the need for their prompt resolution.
Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multithreaded Environment (CVE-2024-21661) Severity: High
KTrust identified a critical vulnerability that allows the initiation of a Denial of Service (DoS) attack, causing the application to become nonfunctional and impacting all users. This vulnerability stems from improper array manipulation in a multi-threaded environment. This flaw exists in the application's coding practices. It occurs when an array is modified concurrently as it's being iterated over. While this is a common programming oversight, it becomes critical in a multi-threaded environment. The application faces a crash when two threads modify the same array simultaneously.
The problem mainly arises in the expireOldFailedAttempts function:
func expireOldFailedAttempts(maxAge time.Duration, failures *map[string]LoginAttempts)
int { expiredCount := 0 for key, attempt := range *failures
{ if time.Since(attempt.LastFailed) > maxAge*time.Second { expiredCount += 1 delete(*failures, key) // Vulnerable code } }
The function alters the array during iteration, leading to errors and an eventual crash. This can be confirmed by inspecting the logs just before the crash:
return expiredCount } goroutine 2032 [running]: github.com /argoproj/argocd/v2/util/session.expireOldFailedAtt empts(0x12c, 0xc000adecd8) /go/src/github.com /argoproj/argocd/util/session/sessionmanager.go:304 +0x7c github.com /argoproj/argocd/v2/util/session. (*SessionManager).updateFailureCount( 0xc00035 af50, {0xc001b1f578, 0x11}, 0x1) /go/src/github.com /argoproj/argocd/util/session/sessionmanager.go:320 +0x7f github.com /argoproj/argocd/v2/util/session. (*SessionManager).VerifyUsernamePassw
This vulnerability classifies as a Denial of Service (DoS) issue. It allows any attacker, without needing authentication, to repeatedly crash the application. This constant disruption makes the service inaccessible to legitimate users. The lack of an authentication requirement for exploiting this vulnerability significantly increases the risk, as any user, authenticated or not, can potentially initiate the attack.
Addressing this flaw promptly is crucial to prevent ord(0xc 00035af50, {0xc001b1f578, 0x11}, {0xc000455148, 0x8}) widespread service disruptions and maintain system integrity
KTrust recently emerged from stealth with $5.3M in funding. The technology takes an attacker centric approach to red teaming security for K8s. KTrust’s founding team includes CEO Nadav Toledo a former Colonel in the 8200 intelligence unit of the Israeli Military; CTO Nadav Aharon-Nov, a veteran hacker and cybersecurity leader and COO Sigalit Shavit, the former Global CIO of CyberArk with extensive experience of enterprise security.
About KTrust
At KTrust, we redefine Kubernetes (K8s) security. By mastering K8s attack flows the company empowers DevSecOps by uncovering innovative paths, continuously validating real exposures, and automating mitigation for each unique ecosystem. The K8s-native Continuous Threat Exposure Management (CTEM) platform blends CVEs, MITRE, and proprietary unique K8s attack flows, ensuring businesses are always one step ahead of evolving threats. The platform offers comprehensive K8s Risk Prioritization, Breach and Attack Simulation, all consolidated in one platform, guaranteeing the security and validation of your K8s exposure ecosystem.
Contact Details
Judith Arkush
Si14 Global Communications
judith.arkush@si14global.com
516 6932099