Patch now: 1,300 Harbor cloud registries open to attack

A severe critical privilege escalation vulnerability has been found in the open source registry software.
Written by Charlie Osborne, Contributing Writer on

A critical vulnerability has been found in a popular open source cloud system that can permit attackers to take over registries by giving themselves administrative rights.

On Wednesday, researchers from Palo Alto Networks' Unit 42 said the bug was uncovered during the analysis of projects connected to the Cloud Native Computing Foundation (CNCF). 

The vulnerable software is Harbor, open source cloud registry software for storing, signing, and scanning container images for security issues. The software is compatible with Docker Hub, Docker Registry, and Google Container Registry, among others. 

Users and partners include Trend Micro, Pivotal, DataYes, and OnStar. 

Unit 42 cybersecurity researcher Aviv Sasson said the vulnerability, tracked as CVE-2019-16097, impacts firmware versions 1.7.0 -- 1.8.2. 

The privilege escalation bug allows non-admin account holders to give themselves administrator rights under default settings. 

A simple, crafted POST request sent to the /api/users API could be used to tamper with the registration of new users. By changing a standard request to add the parameter "has_admin_role," then a new user account would be created with administrator privileges. 

See also: Vulnerability in Microsoft CTF protocol goes back to Windows XP

Sasson was able to write a basic Python script to exploit the vulnerability. If used by attackers, the security flaw could become a conduit for threat actors to give themselves admin accounts and, therefore, high levels of control over Harbor setups. 

CNET: Keep Firefox from leaking your data across the Internet

"The attacker can download all of the private projects and inspect them," the researcher says. "They can delete all of the images in the registry or, even worse, poison the registry by replacing its images with their own. [...] They can connect to Harbor registry via the Docker command-line tool with the new credentials and replace the current images with anything they desire. These can include malware, crypto miners or even worse."

At the same time Sasson was compiling a report on the vulnerability's impact for the purpose of responsible disclosure, Harbor developers released a commit relating to the bug on GitHub. Harbor and the researcher then connected to pursue a CVE assignment and the release of a patch. 

"I recommend all users to update their Harbor installations immediately because this vulnerability is critical and gives anyone full access to their registry," Sasson says. 

TechRepublic: Small businesses underestimate financial damage of cyberattacks

The potential risk of exploit is real. According to Unit 42, 1,300 Harbor registries with open access provided by the Internet -- due to the use of default settings -- are vulnerable to attack and will remain so until they are updated. Or, alternatively, open access ports to the Internet should be restricted. 

The Harbor team released a patch on September 18 to resolve the security issue which has been included in firmware versions 1.7.6 and 1.8.3. A check function has been included to stop non-administrators from creating administrator accounts. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards