Wednesday, November 20, 2024
Homecyber securityHigh Severity IDOR Bugs inCNCF ‘Harbor’ Project by VMware

High Severity IDOR Bugs inCNCF ‘Harbor’ Project by VMware

Published on

Oxeye, the provider of award-winning cloud-native application security, today announced that its security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. 

Harbor is an open-source cloud native registry project that stores, signs and scans content. It can integrate with various Docker registries to provide security features such as user management, access control and activity auditing. 

Classified as an access control vulnerability, IDOR occurs when an application uses user-supplied input to access objects directly. IDOR is a high severity threat and is considered to be the most serious web application security risk on the most current OWASP top 10 list.

- Advertisement - SIEM as a Service

Access control systems are designed to enforce policies that prevent users from acting outside of intended permissions.

Access control failures typically lead to unauthorized information disclosure, modification, data deletion, or the performance of business functions outside of a user’s limits.

In this research, IDOR was discovered in VMware’s Harbor, which allows users to better manage their application artifacts. Role-based access control (RBAC) in place is usually a best practice against IDOR vulnerabilities, but this research tested that theory with surprising results.

The IDOR vulnerability in Harbor leads to the disclosure of webhook policies without authorization. Harbor allows users to configure webhook policies to receive notifications about certain events in the repository, e.g., when a new artifact is pushed or when an existing one is deleted.

Once a webhook policy is added, a Harbor user may view details of the created webhook policies.

In this example, the vulnerability occurred because Harbor only attempted to validate that the requesting user had access to the project ID specified in the request.

But it failed to validate that the requested webhook ID belonged to the specified project ID.

Another IDOR variant leads to the disclosure of job execution logs. P2P (peer-to-peer) preheating allows Harbor users to integrate with P2P engines such as Dragonfly or Kraken to distribute Docker images at scale.

By combining this IDOR vulnerability with the “ParseThru” vulnerability identified previously by the Oxeye research team, an attacker may have the ability to read Docker image layers to which they lack access credentials.

The following IDOR CVE numbers link back to GitHub and are associated with the vulnerabilities mentioned above. 

“While role-based access control (RBAC) is important for maintaining a strong security position, it is not the end-all for absolute system defense against IDOR vulnerabilities,” said Ron Vider, CTO and Co-founder, Oxeye.

“As revealed by Oxeye security researchers Gal Goldshtein and Daniel Abeles, implementing more robust practices that include setting strict roles for API endpoints, simulating threat actors to test those roles in an attempt to break permission models, and avoiding property duplication to maintain a single source of truth can ensure resiliency.” 

All IDOR variants mentioned in this announcement have been communicated to the VMware Security Response and Harbor Engineering teams, who promptly collaborated towards a quick and effective resolution. All have been addressed (fixed) in the latest version of Harbor. For additional information on the IDOR vulnerability in Harbor, please visit the Oxeye security blog at https://www.oxeye.io/blog/guess-whos-rbac

“The quality of the open source software and commercial distributions we and our partners distribute is vital to us and to the organizations that use it. We are grateful to Oxeye and its researchers for their diligence in finding vulnerabilities and their excellent collaboration in helping us address them.” – Roger Klorese, Product Line Manager, Project Harbor, VMware

Oxeye customers can leverage the Oxeye cloud-native security platform to detect and mitigate these IDOR vulnerabilities.

If you are interested in learning more about how Oxeye can assist with cloud native application security challenges, please visit https://www.oxeye.io/get-a-demo to register for a demonstration.

Resources:

●          Follow Oxeye on Twitter at @OxeyeSecurity

●          Follow Oxeye on LinkedIn

●          Visit Oxeye online at http://www.oxeye.io

About Oxeye

Oxeye provides a cloud-native application security solution designed specifically for modern container and Kubernetes-based architectures.

The company enables customers to quickly identify and resolve all application-layer risks as an integral part of the software development lifecycle by offering a seamless, comprehensive, and effective solution that ensures touchless assessment, focus on the exploitable risks, and actionable remediation guidance. Built for Dev and AppSec teams, Oxeye helps to shift security to the left while accelerating development cycles, reducing friction, and eliminating risks. To learn more, please visit www.oxeye.io.

Latest articles

ANY.RUN Sandbox Automates Interactive Analysis of Complex Cyber Attack Chains

ANY.RUN, a well-known interactive malware analysis platform, has announced Smart Content Analysis, an enhancement...

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform,...

Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in...

North Korean IT Worker Using Weaponized Video Conference Apps To Attack Job Seakers

North Korean IT workers, operating under the cluster CL-STA-0237, have been implicated in recent...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

ANY.RUN Sandbox Automates Interactive Analysis of Complex Cyber Attack Chains

ANY.RUN, a well-known interactive malware analysis platform, has announced Smart Content Analysis, an enhancement...

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform,...

Water Barghest Botnet Comprised 20,000+ IoT Devices By Exploiting Vulnerabilities

Water Barghest, a sophisticated botnet, exploits vulnerabilities in IoT devices to enlist them in...