Harbor SSRF - CVE-2020-13788

Posted by Matt Hamilton on July 15, 2020
Matt Hamilton
Find me on:


Summary

Harbor versions prior to v2.0.1 were vulnerable to a limited Server-Side Request Forgery (SSRF) that allowed Harbor project owners to scan the TCP ports of hosts on the Harbor server's internal network.

Harbor is an open source container registry created by VMware and later contributed to the CNCF. At the time of writing, Harbor has more than twelve thousand stars on GitHub and many prominent industry partners.

This vulnerability was patched in Harbor v2.0.1, released on June 30, 2020.

 

Technical Details

In Harbor versions prior to v2.0.1, non-administrative users who own a project can configure webhooks, as shown below:

harbor_create_webook-fs8

Using the "Endpoint URL" field, an attacker can define an arbitrary hostname. Upon a user clicking the "Test Endpoint" button, the Harbor server is sends an HTTP request to the user-specified Endpoint URL.

While the attacker cannot control the content of the request, nor view the resulting response, it is possible to abuse this functionality to perform TCP scans of RFC1918 hosts on the Harbor server's internal network.

 

Test it yourself!

If you would like to set up your own Harbor server and proxy to test as we did in our video above, see our blog post for Cinderella, free and ephemeral Kubernetes clusters which are perfect for situations like this. Here's our video on creating a Cinderella cluster and deploying Harbor and mitmproxy using our open source kubectl plugin, kubetap:

 

Timeline

4/13/2020 - Vulnerability identified by Matt Hamilton @ Soluble
4/14/2020 - Vulnerability reported to Harbor team
6/08/2020 - Vulnerability patched in git
6/30/2020 - Vulnerability fix tagged in release v2.0.1
7/15/2020 - Public disclosure 

 

Topics: Kubernetes, vulnerability, open-source, cve, SSRF, Harbor

Matt Hamilton

Written by Matt Hamilton

Matt Hamilton (OSCP), is a principal security researcher at Soluble, where he focuses on Kubernetes security research. He was formerly with Bishop Fox, where he worked on black-box penetration testing, application assessments, source code review, and mobile application review for clients, which included large global organizations and high-tech start-ups. Matt is responsible for more than a dozen CVEs. Matt was a founding member of OpenToAll, an online team for security competitions whose purpose is to mentor newcomers to the security community. He is a responsible disclosure advocate, and loves the Go programming language.