Red Hat OpenShift GitOps Privilege Escalation Vulnerability Allowing Cluster Takeover

A vulnerability in OpenShift GitOps allows namespace admins to create ArgoCD Custom Resources (CRs) that manipulate permissions in other namespaces, including privileged ones. This flaw enables an authenticated attacker to leverage the elevated permissions to deploy privileged workloads on master nodes, effectively gaining root access to the entire cluster. The issue arises from a RoleBinding that inadvertently grants namespace admins the ability to manage ArgoCD resources and create Jobs or CronJobs in targeted namespaces.

Impact

Exploitation of this vulnerability could lead to unauthorized cluster-wide privileges, allowing a namespace admin to execute privileged jobs on master nodes, with root access to the cluster.

Reproduction

To reproduce this vulnerability, a namespace admin can create an ArgoCD Custom Resource in their namespace. By specifying sourceNamespaces under the 'spec' section, it is possible to target other namespaces, including those that are privileged. Once the ArgoCD CR is created, the operator will annotate the specified sourceNamespaces and create a RoleBinding that grants access to ServiceAccounts used by ArgoCD. This access can then be exploited to create privileged Jobs or CronJobs in the targeted namespace, especially if it has the privileged Security Context Constraint, thereby gaining root access on master nodes.

Remediation

After upgrading to OpenShift GitOps versions 1.18.2, 1.17.3, or 1.16.5, it is recommended to run an audit script provided by Red Hat. This script reviews namespace-scoped access and identifies Roles or RoleBindings that allow cross-namespace access for the GitOps operator's features. The audit can help ensure that only the intended namespaces have the necessary access to deploy applications.