New Attack Technique That Enables Attackers To Exfiltrate Git Credentials In Argocd

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A newly disclosed attack technique enables authenticated users within the popular GitOps tool ArgoCD to exfiltrate powerful Git credentials.

The method, discovered by the cybersecurity research group Future Sight, exploits Kubernetes’ internal DNS resolution to intercept credentials in transit, posing a significant risk to organizations relying on the continuous delivery tool.

ArgoCD, a leading project in the Cloud Native Computing Foundation (CNCF) landscape, functions by pulling Kubernetes manifests from a Git repository to maintain the desired state of applications. To do this, it stores credentials for connecting to Git servers like GitHub.

Design architecture (source: Futuresight)

While these credentials are hidden in the ArgoCD interface for security, this new attack finds a way to capture them during the connection process.

The Attack Explained

The core of the technique is an internal DNS spoofing attack. An attacker who has compromised an ArgoCD account with a specific set of permissions can deploy a malicious service within the same Kubernetes cluster.

This service is named to deliberately conflict with the domain of a legitimate Git repository, such as github.com.

Because of how Kubernetes handles DNS, pods, including ArgoCD’s repository server, will first attempt to resolve domain names against the internal cluster DNS.

The attacker’s malicious service creates a DNS record that points github.com to its own internal IP address.

As a result, when ArgoCD attempts to sync a repository, it unknowingly sends the connection request not to the real GitHub, but to the attacker’s proxy service, Future Sight said.

This service, which the researchers named “Argexfil,” can then log the credentials before forwarding the traffic to the actual Git server to avoid raising suspicion.

Overview of the attack (source: Futuresight)

This method remains effective even when repositories use secure HTTPS connections. The attack relies on the attacker having permissions to add custom certificates to ArgoCD.

By generating a self-signed certificate for their malicious service and adding it to ArgoCD’s list of trusted certificates, the attacker can successfully perform a man-in-the-middle (MitM) attack and decrypt the traffic, exposing the credentials.

The technique can capture various credential types, including username/password combinations, personal access tokens (PATs), and the short-lived JWTs and access tokens used by GitHub Apps.

Once exfiltrated, these credentials could allow an attacker to read or modify source code, inject malicious manifests into the deployment pipeline, and potentially pivot to other systems.

Mitigations

The attack is not a zero-day vulnerability exploitable by unauthenticated users. It requires the attacker to have an authenticated ArgoCD session with permissions to create applications and, for HTTPS targets, certificates.

According to the researchers, the ArgoCD team was informed of the technique.

While acknowledging the novel approach, they did not classify it as a direct vulnerability within ArgoCD, instead attributing the risk to Kubernetes’ default DNS behavior and insecure user permission configurations.

To defend against this technique, organizations are advised to:

  • Apply the principle of least privilege, restricting user permissions to the bare minimum required.
  • Strictly limit which users can add or modify certificates in ArgoCD.
  • Implement robust monitoring on both the ArgoCD application and internal Kubernetes network traffic.
  • Use SSH-based Git connections where possible, as the key exchange mechanism is not vulnerable to this credential theft method.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.