docs: document built-in user limitations and workaround (#3341)

* document security limitations * minor issue description revisions + formatting * Update security.md * move CVEs description into separate document Co-authored-by: Matt Hamilton <matt@soluble.ai> Co-authored-by: Ed Lee <edlee2121@users.noreply.github.com>
argoproj · Apr 4, 2020 · 238abbf · 238abbf
1 parent aa4fb9a
commit 238abbf
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 8 deletions.
diff --git a/SECURITY_CONTACTS b/SECURITY_CONTACTS
@@ -0,0 +1,8 @@
+# Defined below are the security contacts for this repo.
+#
+# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
+# INSTRUCTIONS AT https://argoproj.github.io/argo-cd/security_considerations/#reporting-vulnerabilities
+
+alexmt
+edlee2121
+jessesuen
diff --git a/docs/operator-manual/security.md b/docs/operator-manual/security.md
@@ -153,11 +153,3 @@ Payloads from webhook events are considered untrusted. Argo CD only examines the
 the involved applications of the webhook event (e.g. which repo was modified), then refreshes
 the related application for reconciliation. This refresh is the same refresh which occurs regularly
 at three minute intervals, just fast-tracked by the webhook event.
-
-## Reporting Vulnerabilities
-
-Please report security vulnerabilities by e-mailing:
-
-* [Jesse_Suen@intuit.com](mailto:Jesse_Suen@intuit.com)
-* [Alexander_Matyushentsev@intuit.com](mailto:Alexander_Matyushentsev@intuit.com)
-* [Edward_Lee@intuit.com](mailto:Edward_Lee@intuit.com)
diff --git a/docs/operator-manual/user-management/index.md b/docs/operator-manual/user-management/index.md
@@ -12,6 +12,8 @@ Such token can be used to automatically create applications, projects etc.
 * Additional users for a very small team when SSO integration is overkill. The local users don't provide advanced features such as groups,
 login history etc. So if you need such features it is strongly recommended to use SSO.
 
+!!! warning "Make sure to read about security limitations related to local users in [security considerations](../../security_considerations.md) document"
+
 ### Create new user
 
 New users should be defined in `argocd-cm` ConfigMap:

diff --git a/docs/security_considerations.md b/docs/security_considerations.md
@@ -0,0 +1,48 @@
+# Security Considerations
+
+As a deployment tool, Argo CD needs to have production access which makes security a very important topic. 
+The Argoproj team takes security very seriously and continuously working on improving it. Learn more about security
+related features in [Security](./operator-manual/security.md) section.
+
+## Known Issues And Workarounds
+
+A recent security audit (thanks a lot to [Matt Hamilton](https://github.com/Eriner) of [https://soluble.ai](https://soluble.ai) )
+has revealed several limitations in Argo CD which could compromise security.
+Most of the issues are related to the built-in user management implementation.
+
+#### Insecure default administrative password - CVE-2020-8828
+
+Argo CD uses the `argocd-server` pod name (ex: `argocd-server-55594fbdb9-ptsf5`) as the default admin password.
+
+Kubernetes users able to list pods in the argo namespace are able to retrieve the default password.
+
+Additionally, In most installations, [the Pod name contains a random "trail" of characters](https://github.com/kubernetes/kubernetes/blob/dda530cfb74b157f1d17b97818aa128a9db8e711/staging/src/k8s.io/apiserver/pkg/storage/names/generate.go#L37).
+These characters are generated using [a time-seeded PRNG](https://github.com/kubernetes/apimachinery/blob/master/pkg/util/rand/rand.go#L26) and not a CSPRNG.
+An attacker could use this information in an attempt to deduce the state of the internal PRNG, aiding bruteforce attacks.
+
+The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password
+should only be used for initial configuration and then [disabled](https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-user)
+or at least changed to a more secure password.
+
+#### Insufficient anti-automation/anti-brute force - CVE-2020-8827
+
+Argo CD does not enforce rate-limiting or other anti-automation mechanisms which would mitigate admin password brute force.
+
+We are considering some simple options for rate-limiting.
+
+#### Session-fixation - CVE-2020-8826
+
+The authentication tokens generated for built-in users have no expiry.
+
+These issues might be acceptable in the controlled isolated environment but not acceptable if Argo CD user interface is
+exposed to the Internet.
+
+The recommended mitigation is to change the password periodically to invalidate the authentication tokens.
+
+## Reporting Vulnerabilities
+
+Please report security vulnerabilities by e-mailing:
+
+* [Jesse_Suen@intuit.com](mailto:Jesse_Suen@intuit.com)
+* [Alexander_Matyushentsev@intuit.com](mailto:Alexander_Matyushentsev@intuit.com)
+* [Edward_Lee@intuit.com](mailto:Edward_Lee@intuit.com)
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -81,6 +81,7 @@ nav:
     - developer-guide/site.md
     - developer-guide/faq.md
   - faq.md
+  - security_considerations.md
   - Support: SUPPORT.md
   - Releases ⧉: https://github.com/argoproj/argo-cd/releases
   - Roadmap ⧉: https://github.com/argoproj/argo-cd/milestones