Critical Privilege Escalation Vulnerability Existed In Harbor Registry

Researchers have discovered a security vulnerability in Harbor cloud native registry. As revealed, a critical bug existed in Harbor container registry that could allow an attacker gain admin user privileges. Though Harbor has patched the flaw, still, hundreds of registries are vulnerable to the attack until updated.

Harbor Container Vulnerability

A researcher from Unit 42 Palo Alto Networks found a critical security vulnerability affecting  Harbor container registry. Exploiting the bug could allow an adversary to gain admin access to the registries.

As elaborated in a blog post, the privilege escalation vulnerability CVE-2019-16097, allowed an attacker to gain admin access simply by sending a malicious request to the target machine.

Specifically, the attacker could register a new user whilst sending a POST request to “/api/users” that includes user details and HasAdminRole parameter. As stated in the blog post, doing so is quite simple.

We can send a request and add the parameter “has_admin_role”.
If we send the same request with has_admin_role = True, then the user that will be created will be an admin.

The attacker could then sign-in with this new account to gain admin access. Consequently, the attacker could perform a variety of activities including registering new admin users, downloading and inspecting private projects, and replacing images with malware and crypto miners.

Harbor Released A Patch

The researcher could confirm at least 1300 registries vulnerable to this flaw. The vulnerability affected the Harbor versions 1.7.0 – 1.8.2.

Following the discovery, Harbor released a fix for this flaw with versions 1.7.6 and 1.8.3. The patch includes a check for non-admin users to create admin accounts while registering.

Users must ensure updating to the latest versions to stay protected from any exploit. Whereas, to know a possible hacking attack, users can look for unrecognized admin users on their Harbor instance.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients