2024-08-06 –, Florentine A
Get ready for a revelation! We are about to unveil a new vulnerability with a critical score of 9.1, targeting Kubernetes clusters equipped with Argo CD, a widely-used GitOps continuous delivery tool embraced by major companies such as TikTok, Spotify, and Mercedes-Benz.
This vulnerability exploits the Argo CD server's elevated permissions, exposing an attack vector for malicious actors to escalate their privileges from an initial foothold in the cluster to gain complete control over Kubernetes cluster! By manipulating data within Argo CD's Redis caching server, attackers can deploy malicious pods, access sensitive information, and erase evidence of their activities. This abstract outlines the vulnerability's technical details, impact, and mitigation strategies, underscoring the critical need for robust security measures in Kubernetes environments utilizing GitOps.
Our research addresses the lack of attention given to GitOps security, aiming to raise awareness and enhance understanding of the vulnerabilities inherent in these systems. By shedding light on the potential risks and providing insights into how attackers can exploit them, we contribute to improving GitOps security practices.
Elad Pticha is a passionate security researcher with a focus on software supply chain and API security. Elad specializes in finding vulnerabilities in SDLC-related software. In his free time, Elad loves to code, hunt for vulnerable technologies, and use his skills to help companies mitigate their security risks. Before his current work at Cycode, Elad dedicated his time to finding critical vulnerabilities in web applications, IoT devices, and pretty much anything with an IP address, but his recent focus has shifted towards software supply chain security vulnerabilities. Elad is committed to staying up-to-date with the latest security trends and technologies and always seeking new challenges to tackle.
Hi, I'm Oreen, a cybersecurity expert from Tel Aviv. I specialize in supply chain security, with a background in Kerberos, domains, and networking. Outside work, I enjoy surfing, climbing, reading, and gardening. I'm always up to connect and collaborate to make our digital world more secure and resilient