AI PRP: Request Weak Credential tester for Argo CD

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.

Apache License 2.0

860 stars 178 forks source link

AI PRP: Request Weak Credential tester for Argo CD #419

Open maoning opened 3 months ago

maoning commented 3 months ago

In some of the instances that we checked, the Argo CD server was exposed and only required a username and a password for gaining access.

From: https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/abusing-argo-cd-helm-and-artifact-hub-an-analysis-of-supply-chain-attacks-in-cloud-native-applications

Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.

redex557 commented 3 months ago

I would like to work on this

maoning commented 3 months ago

Hi @redex557,

Thanks for picking up this request. Please complete the following items before the implementation:

[ ] Conduct vulnerability research with a brief description of how the plugin would work
[ ] Submit the vulnerable configuration of the target application to google/security-testbeds.

maoning commented 3 months ago

@redex557 Is there any update on this request? If not, I will release this back to the pool.

JamesFoxxx commented 2 months ago

@maoning I already wrote a plugin for Argo CD and I think you should assign this to me, this is two weeks now, and according to the rules, this AI PRP should be back in the pool now!

JamesFoxxx commented 2 months ago

@maoning there is one default credential for current recent versions in here. I checked previous versions and they don't have default creds. there is only one CVE that needs to brute force the unsafe PRNG string too which is not feasible quickly. the blog post: https://web.archive.org/web/20220330042723/soluble.ai/blog/argo-cves-2020

maoning commented 2 months ago

@JamesFoxxx Thanks for providing the details, including the default credential you linked is sufficient for this weak credential tester. Could you check how to test for successful authentication for ArgoCD (is relying on network request sufficient)?

JamesFoxxx commented 2 months ago

@maoning argo-cd contains a login page, we can check for successful login message.

maoning commented 1 month ago

@JamesFoxxx Please complete the following items before the implementation:

[ ] Submit the vulnerable configuration of the target application to google/security-testbeds.
[ ] Submit our participation form before starting working on the development.

JamesFoxxx commented 1 month ago

@maoning I found two additional default passwords here: https://github.com/argoproj/argo-cd/blob/dd3bb2bad44293a6d0852674d1982e9d066b6001/docs/faq.md?plain=1#L59-L64 I already wrote the plugin because it is hard to jump into argo-cd again after I wrote one plugin. I'm waiting for your confirmation to create a PR.