Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller

The attack on the Argo CD Kubernetes controller begins with the exploitation of elevated permissions, allowing the attacker to manipulate the Redis caching server, which lacks password protection. This manipulation enables the attacker to alter application state manifests and trick Argo CD into accepting malicious updates. As the attacker deploys malicious pods with high privileges, BlueRock's Container Capability Control mechanism ensures that only containers with specified capabilities are allowed to run, effectively preventing the deployment of these potentially harmful containers. Furthermore, the attacker attempts to execute code on the host node by deploying a privileged pod. Here, BlueRock's Reverse Shell Protection mechanism comes into play by preventing unauthorized attempts to bind shell input and output streams to network sockets, thereby mitigating the risk of reverse shell attacks. These mechanisms collectively safeguard the Kubernetes environment from unauthorized container deployments and malicious script executions, maintaining the integrity and security of the cluster.

• T1068: Exploitation for Privilege Escalation: The article mentions that the attacker exploits the elevated permissions of the Argo CD server to escalate their privileges and potentially take control of the Kubernetes cluster. This indicates the use of privilege escalation techniques.
• T1600.001: Weaken Encryption: Reduce Key Space: The attacker manipulates the data stored in Argo CD’s Redis caching server, which lacks password protection. This involves altering application state manifests stored in the Redis server to exploit the system. This describes a manipulation of application state and configuration data.
• T1059: Command and Scripting Interpreter: The attacker uses the Argo CD server’s elevated permissions to deploy malicious pods with high privileges, which can execute code on the host node and access sensitive information. This demonstrates the use of deploying malicious code or scripts.
• T1114.002: Email Collection: Remote Email Collection: The attacker recalculates the hash for the manipulated manifest without a secret key, allowing them to modify the manifest data and present it as legitimate. This is indicative of the use of hashing algorithms to bypass integrity checks.
• T1610: Deploy Container: The attacker creates a low-privilege pod in another namespace to simulate a compromised pod within the cluster. This is a form of creating and using a container for malicious purposes.
• T1560.002: Archive Collected Data: Archive via Library: The attacker uses a Go program to decompress gzipped contents in the Redis server to uncover cached information about the applications managed by Argo CD, including their manifests and details about the Kubernetes cluster. This involves extracting and analyzing compressed data.
• T1057: Process Discovery: The attacker uses Redis profiler to observe interactions between pods and the Redis server to understand how application behavior is affected. This is a form of gathering information through monitoring and profiling.
• T1535: Unused/Unsupported Cloud Regions: The attacker modifies the application manifest in Redis and successfully deploys a privileged pod, which allows them to escalate privileges and execute code on the host node. This involves the manipulation of cloud infrastructure.
• T1021.004: Remote Services: SSH: The attacker adds their public SSH key to the node’s authorized keys, allowing them to connect to the node with an SSH shell. This is indicative of the use of SSH for remote access.

‍