Harbor Remote Privilege Escalation Vulnerability (CVE-2019-16097) Threat Alert

Harbor Remote Privilege Escalation Vulnerability (CVE-2019-16097) Threat Alert

October 16, 2019 | Mina Hao

Overview

Harbor is an open-source project from VMware and an enterprise-class registry server that stores and distributes Docker container images. It adds some functionalities required by enterprises such as security, identity, and management.

Last week, a security researcher from Unit 42 disclosed a critical privilege escalation vulnerability in Harbor (CVE-2019-16097). By that time, the maintainers of Harbor had released a patch that fixes this vulnerability. Versions 1.7.6 and 1.8.3 include this fix.

This vulnerability exists in core/api/user.go of Harbor, allowing remote non-administrative users to take over the Harbor repository by creating an administrator account upon addition of specified parameters to the POST /api/users API.

On September 24, 2019, local time, VMware released a security advisory, announcing availability of workarounds for VMware Cloud Foundation and remediation for VMware Harbor Container Registry for PCF affected by this vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

References:

[1] Unit 42 report

https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/

[2] Harbor GitHub repository

https://github.com/goharbor/harbor

[3] VMware’s security advisory

https://www.vmware.com/security/advisories/VMSA-2019-0015.html

Affected Products and Versions

  • Harbor Version >= 1.7.0
  • Harbor Version <= 1.8.2
  • VMware Harbor Container Registry for PCF 1.7.x < 1.7.6
  • VMware Harbor Container Registry for PCF 1.8.x < 1.8.3

Unaffected Products and Versions

  • Harbor Version == 1.7.6
  • Harbor Version == 1.8.3
  • VMware Harbor Container Registry for PCF Version == 1.7.6
  • VMware Harbor Container Registry for PCF Version == 1.8.3

Security Recommendations

The Harbor team and VMware both released the latest versions to fix the vulnerability in question. Users are advised to download them from the following addresses for immediate protection against this vulnerability.

Harbor v1.8.3 https://github.com/goharbor/harbor/releases/tag/v1.8.3
Harbor v1.7.6 https://github.com/goharbor/harbor/releases/tag/v1.7.6
VMware Harbor Container Registry for PCF 1.8.3 https://network.pivotal.io/products/harbor-container-registry/#/releases/470132
VMware Harbor Container Registry for PCF 1.7.6 https://network.pivotal.io/products/harbor-container-registry/#/releases/470129

The fix for VMware Cloud Foundation is to be created. Please visit the official website of VMware (https://www.vmware.com/security/advisories/VMSA-2019-0015.html) for the latest information.

Mitigation:

System administrators can disable “allow self-registration” via the UI or API.

  • UI: Configuration -> Authentication -> Allow Self-Registration (uncheck the check box)
  • API: Use the configuration API to update self-registration.
PUT /api/configurations

{“self_registration”:false}


Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.