Vulnerability: Argo CD path-traversal vulnerability enables leaking data
This week’s major news has been the vulnerability discovered in Argo CD, a popular continuous delivery platform.
The vulnerability (CVE-2022-24348, CVSS score of 7.7) was discovered by researchers at Apiiro, and allowed attackers to exploit a path traversal vulnerability in the platform to gain access to other application instances. Researchers believe this could have led to leaking passwords, API keys, and tokens. According to the researchers, attackers could exploit it by loading a malicious Helm Chart YAML file into affected Argo CD systems.
The root cause of the vulnerability was an implementation error in the method ParseRequestURI which validated the root directories of paths loaded from external sources. If the input path received appeared to be a URL, further checks were skipped. This meant that attackers could use a URL path to bypass the anti-path-traversal checks. By specifying the arbitrary path in a Helm Chart allowed attackers to access any file or directory on the server filesystem.
The researchers advise Argo CD users to patch their systems as soon as possible.
clj-holmes/clj-holmes: A CLI SAST (static application security testing) tool to find vulnerable Clojure code via rules that use a simple pattern language.
BeyondCorp is dead, long live BeyondCorp: Tailscale’s Maya Kaczorowski describes what zero trust architecture / BeyondCorp actually mean (beyond the hype), how difficult it is (even Google isn’t fully BeyondCorp), the importance of device trust, and what an ideal solution looks like.
Top 10 web hacking techniques of 2021: Another annual round-up by Portswigger. Several on HTTP Request Smuggling, as well as fuzzing for XSS, JSON interoperability vulnerabilities, cache poisoning at scale, attacking HTTP/2, and more. #1: Dependency Confusion.
Cloud Security Podcast: Cloud Security RoadMap with Scott Piper
Ashish Rajan interviews Summit Route’s Scott Piper on his Cloud Security Podcast, covering what to prioritize as a start-up, challenges for medium to large companies, continuous compliance, getting started in cloud security, and more.
If you’re interested in cloud security, I’d give Ashish’s Cloud Security Podcast a look, he interviews a number of super solid people, and has recently been doing series on AWS, GCP, and Azure security.
AdminTurnedDevOps/DevOps-The-Hard-Way-AWS: Free labs, documentation, and diagrams for setting up an environment that is using DevOps technologies and practices for deploying apps and cloud services/cloud infrastructure to AWS, by Mike Levan.
Eliminating Dangling Elastic IP Takeovers with Ghostbuster: When you create a DNS record pointing to an IP but don’t remove the DNS record after the EC2 instance has been destroyed or given a new IP, you become vulnerable to subdomain takeover attacks. Assetnote’s Shubham Shah describes Ghostbuster, a new tool they’re releasing that can detect these dangling Elastic IP addresses.
Ghostbuster works by enumerating all the elastic/public IPs associated with every AWS account you own, and then checking if there are any DNS records pointing to elastic IPs that you don’t own in any of your AWS accounts.
GitBOM: A minimalistic scheme for build tools to:
- Build a compact artifact tree, tracking every source code file incorporated into each built artifact.
- Embed a unique, content-addressable reference for that artifact tree, the GitBOM identifier, into the artifact at build time.
“Zero-Days” Without Incident – Compromising Angular via Expired npm Publisher Email Domains
Fun fact: Email addresses for all maintainers on npm are public. Matthew Bryant shows how you can use this for nefarious ends.
- Scrape all
npmpackage maintainer email addresses.
- Filter to custom owned domains (e.g.
- See which of those domains are expired or expiring.
- Register those domains and use it to reset the victim user’s npm password.
- Backdoor their repo, profit $$$.
Witness prevents tampering of build materials and verifies the integrity of the build process from source to target. It works by wrapping commands executed in a continuous integration process.
Defense Against Novel Threats: Redesigning CI at Mercari
Mercari’s Michael Findlater describes how they’ve rearchitected their CI to protect against malicious third-party dependencies. The post gives a nice overview of aspects to consider, like disallowing CI config modification without review, limiting CI egress to prevent exfiltration of data, running jobs ephemerally in clean, isolated environments, integrating with secret management tools, and more. They use self-hosted GitHub Action runners on GKE.
One key point, which I’ve called out a number of times in effective security engineering work from various companies, is they worked closely with Developer Experience teams to ensure it doesn’t slow down development, fits in nicely to existing dev processes, etc.
They’ve also integrated some default setup into a
microservice-starter-kit Terraform module that’s used for new microservices, likely leading to easier, widespread adoption.
kbrew-dev/kbrew: Homebrew for Kubernetes.
How we automated ourselves out of on-call burnout… and you can too!: Segment’s Prima Virani describes how in 6 months they’ve partially or fully automated approximately 85% of their incident response playbooks using Twilio’s SOCless tool, which basically aims to make it easy to convert workflows to a series of Lambdas handling each step.
The post contains a number of useful hardening steps the Segment team took, and some good advice:
- Sort alerts by frequency and automate the most frequent alerts first for maximum impact.
- It’s better to partially cover many alerts instead of entirely automating one playbook, as oftentimes an automation can close out a response before later manual steps are reached.
- Communicate outcomes at every step so humans know where to pick up, and so you can easily troubleshoot errors.
SSH into your private machines from anywhere, for free, using Cloudflare Tunnel: Guide by Ben Butterworth to using Cloudflare Tunnel, which will filter traffic to your machines through Cloudflare’s network, including authenticating you.
Politics / Privacy
I Used Apple AirTags, Tiles and a GPS Tracker to Watch My Husband’s Every Move: A NY Times reporter tests 3 location tracking tools, with permission, on her husband. Even when you know they’re there, they’re not easy to find.
Here’s a crazy idea. Since TikTok is a content surfacing and rewarding platform, and it’s Chinese-controlled, wouldn’t it be interesting if they rewarded different behavior for different populations? What if they rewarded science and engineering and creativity in China, but in Europe and the US they rewarded promiscuity, anti-government, or hate-oriented content? Wouldn’t that be an ingenious way to incentivize the raising of your own society while contributing to the downfall of an enemy? I wonder if anyone’s done any analysis of what gets surfaced or rewarded in different geographies.
Bradbury predicted that people, disturbed by confusing or challenging ideas, might one day demand censorship for themselves and protection from any information that pierced the veil of their own simplified reality.
Bradbury was right that people would choose self-censorship, led into ignorance by technological innovations that make open discourse and thought unpalatable. Were it a government that imposed such a rule, there would be an uproar, at least in Western societies. But gently coaxed by algorithms, people have voluntarily gravitated towards simple, comfortable ideas and begun to reject complexity, nuance, and the possibility that contrary opinions are not necessarily immoral or even incorrect.
Never Use Text Pixelation To Redact Sensitive Information: Bishop Fox’s Dan Petro discusses why pixelation is a bad approach for redacting sensitive info in images, and releases a tool, Unredacter, that reverses redacted pixelized text back into its unredacted form.