Vulnerability in Harbor Container Registry gives attacker administrative privileges

Aviv Sasson, Paliv Alto Networks and Unit 42 researcher discovered a dangerous vulnerability in the Harbor container registry.

Its operation allows obtaining administrator rights and manage Harbor registries with default configurations. The vulnerability affects versions of Harbor from 1.7.0 to 1.8.2.

“The implications of this vulnerability are serious. There are many attack vectors that can be initiated after gaining admin permissions. The attacker can create a new user and set it to be admin. After that, they can connect to Harbor registry via the Docker command line tool with the new credentials and replace the current images with anything they desire. These can include malware, crypto miners or even worse”, — reports Aviv Sasson.

The discovered vulnerability (CVE-2019-16097) allows attackers to send a malicious request to the target system and register a new user with administrator privileges. To do this, send a POST request to “/ api / users” in “/ api / users” with a payload containing user information, as well as add the parameter “HasAdminRole”.

Read also: NETGEAR fixes DoS vulnerabilities in its N300 routers

If the same request is sent with the parameter “had_admin_role” = “True”, the new user will become an administrator. In addition, it is also possible to remove images from the registry and download malware.

According to the results of search strings, the researcher discovered 1.3 thousand vulnerable Harbor installations in the public domain.

Harbor released fixed this vulnerability in versions 1.7.6 and 1.8.3.

Sasson published the PoC vulnerability code in the form of a Python script that sends a request to create a new user with administrator rights. After running the script, you can log into the target Harbor registry from a web browser.

Mitigation:

If you have a Harbor instance with an out-of-date version, you should take immediate action to update it or at the very least block its connection to the internet. To check if you have been hacked, look for any unrecognized users with admin privileges in your Harbor instance.

Reference:

Harbor is an open source cloud native registry that stores, signs and scan images for vulnerabilities. Harbor integrates with Docker Hub, Docker Registry, Google Container Registry and other registries. It provides a simple GUI that allows users to download, upload and scan images according to their permissions.

The Harbor project has been gradually growing in popularity over the last four years and became a Cloud Native Computing Foundation (CNCF) incubating project last November. Harbor includes many notable sponsors and companies within its adopters page.

Exit mobile version