Misconfigured Argo Workflows Expose K8s to Attack

With the use of Kubernetes growing rapidly among enterprises comes increased opportunities for attackers to exploit the popular container orchestration platform’s weaknesses in security.

This week, security specialist Intezer has detected a new attack vector against K8 clusters through misconfigured Argo Workflows instances and is warning of the potential for larger-scale attacks due to hundreds of misconfigured deployments.

Misconfigured Workflows Introduce New Attack Vector

Argo Workflows is an open source, container-native workflow engine designed to run on K8s clusters, and exposed instances can contain sensitive information such as code, credentials and private container image names.

Those instances with misconfigured permissions allow threat actors to run unauthorized code on the victim’s environment—Intezer finds these misconfigured instances belong to companies from different a range of sectors from technology to finance to logistics.

Intezer researchers’ blog post lays out the code-level specifics of how Argo could be exploited when permissions are misconfigured and offers mitigation advice.

“It is critical to ensure that best practices for permissions are followed in order to prevent unauthorized activity in your environments,” the post notes. “Methodologies such as the principle of least privilege (PoLP) should be followed and always refer to the application documentation for best practices on security.”

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, notes hackers are opportunistic and have become excellent at moving and adapting quickly, as we’ve seen from the recent surge in exploits of zero-day vulnerabilities.

“Cloud environments are not immune, and zero-days can give bad actors the opening they need through several attack vectors,” he says. “Unless IT security teams get proactive about improving cyber hygiene and enterprise security posture, the situation is going to get worse before it gets better.”

Bar-Dayan notes that typically, cloud vulnerabilities come in three forms. First, a known Kubernetes vulnerability that has not been patched. Second, misconfigured services usually caused by user error. Third, assets that have been left exposed to the public web and weak user access controls.

He points to a recent Gartner study, which predicted that through 2025, more than 99% of cloud breaches will have customer misconfigurations or mistakes as their root cause.

“Kubernetes is no exception, and with the complexity and scale inherent in enterprise cloud deployments, there will be breaches due to human error through no fault of the cloud provider,” he says. “Unfortunately, misconfiguration is just one type of risk-inducing vulnerability, and cloud is just one attack vector that needs to be tracked and mitigated.”

Bar-Dayan says IT security teams need a consolidated view of risk across cloud application environments as well as traditional IT infrastructure and then should plan to prioritize and mitigate this risk.

“It’s no easy task, but it is possible through procedural and organization discipline,” he says. “If security teams can understand and prioritize risk created by cloud misconfigurations alongside IT infrastructure and application vulnerabilities, they have a shot at reducing risk and improving the security posture of the business.”

Securing Cloud Infrastructure

From his perspective, cloud security can no longer be someone else’s problem, and it is not enough to ask if cloud infrastructure by itself is secure.

“We must ask the same about our applications, traditional infrastructure and networks,” he says.

Andrew Barratt, managing principal of solutions and investigations at Coalfire, says this vulnerability serves to show how the growing complexity of orchestrated, containerized cloud solutions can quickly get out of control if not managed well.

“Misconfiguration is probably one of the largest causes of vulnerabilities across the board,” Barratt says. “When you add in containerized products such as Argo that specialize in compute-intensive solutions, you’ve got a real sweet spot to look for vulnerabilities to drop highly intensive malware, such as cryptominers, in a way that means they might go unnoticed until a larger-than-expected compute bill arrives from your cloud provider.”

Barratt admits it’s difficult to say if the threats to Kubernetes cloud clusters are growing.

“We should see Kubernetes a bit like a platform, so it could be targeted quite regularly for anything that it pushes out which can be containerized services containing more vulnerabilities,” he says. “I’d expect to see it grow due to the many permutations of things that are possible.”

He notes that in addition to misconfigurations, there are “many, many” other risk-inducing vulnerabilities organizations need to be aware of when it comes to Kubernetes cloud clusters.

“There does appear to have been a shift toward application security issues as more companies move to the cloud,” he observes. “Managing lots of application complexity combined with cloud deployment complexity is going to see these kinds of issues continue to be a problem.”

Vishal Jain, co-founder and CTO at Valtix, also points out that the network is the common ground for a lot of these attacks, and said enterprises need to protect their applications in the cloud from a network perspective.

“Basic techniques like decryption, content scanning and URL filtering are still very much applicable,” he says.

Jain also recommends enterprises follow a layered defense approach beyond checking for misconfigurations and deploy container security and network security solutions together.

“Using all of these approaches holistically can help prevent such attacks and limit the damage if an attack does happen,” Jain says. “It is also a good practice to have proper ingress and egress network security controls in place for K8s clusters.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

Nathan Eddy has 2 posts and counting. See all posts by Nathan Eddy