The open source artefact registry from VMware, CNCF-graduated project Harbor, has been found to include multiple new, high severity variations of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667).
Harbor is a project that saves, signs, and scans stuff in the cloud natively. In order to provide security features like user management, access control, and activity auditing, it can interact with a variety of Docker registries.
IDOR, which is categorised as an access control vulnerability, happens when a program utilises user input to get direct access to objects. On the most recent OWASP top 10 list, IDOR is rated as a high severity threat and is thought to be the most dangerous web application security concern.
Systems for controlling access are created to enforce rules that stop users from behaving outside of the scope of their permissions. Failures in access control frequently result in the unauthorised disclosure, modification, deletion, or performance of business operations outside of the user’s capabilities.
In this study, IDOR, which enables users to more effectively manage their application artefacts, was found in VMware’s Harbor. The use of role-based access control (RBAC) is typically recommended as a defence against IDOR vulnerabilities, however this research put that notion to the test and found unexpected results.
Harbor’s IDOR vulnerability allows for the unauthorised disclosure of webhook policies. Users can set up webhook policies in Harbor to receive notifications when specific repository events occur, such as when a new artefact is pushed or when an existing one is deleted.
A Harbor user may access specifics of the established webhook policies after adding a webhook policy. Since Harbor in this case simply made an effort to confirm that the asking user had access to the project ID mentioned in the request, a vulnerability was present. However, it didn’t check to see if the requested webhook ID belonged to the given project ID.
Job execution logs are disclosed via another IDOR variant. Users of Harbor can interface with P2P engines like Dragonfly or Kraken to distribute Docker images at scale thanks to P2P (peer-to-peer) preheating. Combining this IDOR flaw with the “ParseThru” flaw could allow an attacker to read Docker image layers to which they do not have authorization.
The VMware Security Response and Harbor Engineering teams received notification of all IDOR versions described in this announcement, and they immediately began working together to find a speedy and efficient fix. The most recent release of Harbor has handled (fixed) all of these.
