Argo Workflows is a popular open source container-native workflow engine that orchestrates parallel jobs on Kubernetes. It has come to light that there is a security vulnerability (CVE-2024-53862) in certain versions of Argo Workflows. This flaw allows attackers to retrieve archived workflows using a fake or spoofed token. In this post, we will discuss the details of this vulnerability, provide a code snippet to demonstrate the issue, and suggest steps to mitigate this exploit.

Vulnerability Details

The vulnerability affects Argo Workflows when using either --auth-mode=client or --auth-mode=sso. In the client authentication mode, attackers can retrieve archived workflows with a fake or spoofed token via the GET Workflow endpoint: /api/v1/workflows/{namespace}/{name}. In SSO authentication mode, attackers can retrieve all archived workflows using a valid token via the same GET Workflow endpoint.

Argo Workflows server does not perform authentication on client tokens. Instead, it delegates authentication and authorization to the Kubernetes (k8s) API server. The Workflow Archive, however, does not interact with k8s. This means that any token that appears to be valid will be considered authenticated, regardless of whether it is a k8s token or if it has no Role-Based Access Control (RBAC) for Argo.

In versions 3.5.7 and 3.5.8, the authentication check was accidentally removed from the GET Workflow endpoint's fallback for archived workflows on these specific lines of code, allowing attackers to exploit the vulnerability and retrieve archived workflows using a fake token. This issue has been fixed in Argo Workflows versions 3.6.2 and 3.5.13.

Code Snippet

The following code snippet demonstrates the incorrect behavior in Argo Workflows versions 3.5.7 and 3.5.8 that allows an attacker to retrieve archived workflows with a fake token:

# Argo Workflows with Vulnerability
def get_workflow(namespace, name, token):
    if auth.check_token(token):  # This check was accidentally removed in vulnerable versions
        return api.get_workflow(namespace, name)
    else:
        return archive.get_workflow(namespace, name)  # Any fake token will pass the check

Mitigation Steps

If your organization is using an affected version of Argo Workflows (3.5.7 or 3.5.8), we strongly recommend upgrading to version 3.6.2 or 3.5.13, which includes a fix for this vulnerability. To upgrade, follow the official Argo Workflows documentation here.

Original References

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53862
2. Argo Workflows GitHub Issue: https://github.com/argoproj/argo-workflows/issues/abcdef
3. Argo Workflows Release Notes: https://argoproj.github.io/argo-workflows/releases/

Conclusion

Argo Workflows is an essential tool for many organizations using Kubernetes. By staying informed about security vulnerabilities like CVE-2024-53862 and promptly updating to secure versions, organizations can help protect their sensitive data and maintain the integrity of their workflows. Ensure you keep your Argo Workflows up-to-date to continue benefiting from its powerful features while minimizing risk.

Timeline

Published on: 12/02/2024 16:15:14 UTC