Critical Bug In Harbor Container Registry Gives Admin Access

Attackers can exploit a critical security vulnerability in Harbor cloud native registry for container images to obtain admin privileges on a vulnerable hosting system.

Harbor is open source and can integrate with Docker Hub and various image registries like Docker Registry and Google Container Registry, to add security, identity, and management features.

A popular product hosted by the Cloud Native Computing Foundation (CNCF), Harbor provides a secure environment that can store, sign, and scan images as well as ensure access control and activity auditing.

Create admin users

Palo Alto Networks' Unit 42 researcher Aviv Sasson discovered a critical vulnerability that could be exploited to take control of Harbor registries with the default configuration. Versions 1.7.0 through 1.8.2 are affected.

Tracked as CVE-2019-16097, the security issue allows attackers to send a malicious request to a vulnerable machine and register a new user with the privileges of an administrator.

The researcher discovered that it is possible to send a POST request to "/api/users" with a payload containing user details and also add the 'HasAdminRole' parameter.

"If we send the same request with “had_admin_role” = “True”, then the user that will be created will be an admin. It’s as simple as that," Sasson explains.

Proof-of-concept (PoC) code is available in the form of a Python script that sends out the request to create a new user with admin rights. After executing the script, one can log into the targeted Harbor registry from the web browser.

Patch and fixed versions available

Sasson scanned the internet for open Harbor instances and found 2,500 of them. Of these, the researcher determined that 1,300 are vulnerable.

An attacker that accesses a Harbor registry could download the images for private projects and check them for vulnerabilities that could be exploited.

Deleting the content is also a possibility, but the worst scenario is to upload malicious versions of the projects that come with cryptominers, backdoors, and other types of malware.

On Wednesday, the maintainers of Harbor released new versions, 1.7.6 and 1.8.3, of the product that address CVE-2019-16097. A patch was available before these releases.