A critical vulnerability has been found in a popular open source cloud system that can permit attackers to take over registries by giving themselves administrative rights.
The vulnerable software is Harbor, open source cloud registry software for storing, signing, and scanning container images for security issues. The software is compatible with Docker Hub, Docker Registry, and Google Container Registry, among others.
Users and partners include Trend Micro, Pivotal, DataYes, and OnStar.
Unit 42 cybersecurity researcher Aviv Sasson said the vulnerability, tracked as CVE-2019-16097, impacts firmware versions 1.7.0 -- 1.8.2.
The privilege escalation bug allows non-admin account holders to give themselves administrator rights under default settings.
A simple, crafted POST request sent to the /api/users API could be used to tamper with the registration of new users. By changing a standard request to add the parameter "has_admin_role," then a new user account would be created with administrator privileges.
Sasson was able to write a basic Python script to exploit the vulnerability. If used by attackers, the security flaw could become a conduit for threat actors to give themselves admin accounts and, therefore, high levels of control over Harbor setups.
"The attacker can download all of the private projects and inspect them," the researcher says. "They can delete all of the images in the registry or, even worse, poison the registry by replacing its images with their own. [...] They can connect to Harbor registry via the Docker command-line tool with the new credentials and replace the current images with anything they desire. These can include malware, crypto miners or even worse."
At the same time Sasson was compiling a report on the vulnerability's impact for the purpose of responsible disclosure, Harbor developers released a commit relating to the bug on GitHub. Harbor and the researcher then connected to pursue a CVE assignment and the release of a patch.
"I recommend all users to update their Harbor installations immediately because this vulnerability is critical and gives anyone full access to their registry," Sasson says.
The potential risk of exploit is real. According to Unit 42, 1,300 Harbor registries with open access provided by the Internet -- due to the use of default settings -- are vulnerable to attack and will remain so until they are updated. Or, alternatively, open access ports to the Internet should be restricted.
The Harbor team released a patch on September 18 to resolve the security issue which has been included in firmware versions 1.7.6 and 1.8.3. A check function has been included to stop non-administrators from creating administrator accounts.
Previous and related coverage
- These software vulnerabilities top MITRE's most dangerous list
- Popular consumer and enterprise routers, IoT devices contain remote access vulnerabilities
- LastPass bug leaks credentials from previous site
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0