CVE-2023-20902: Timing Condition Vulnerability in Several Harbor Versions, Allowing Attacker Network Access to Create and Stop Job Tasks and Retrieve Job Task Information

A recently discovered vulnerability, CVE-2023-20902, affects multiple versions of the Harbor open-source container registry, including:

Harbor 1.10.17 and below

The vulnerability lies in a timing condition that could potentially allow an attacker with network access to create jobs and stop job tasks. In addition, the vulnerability enables attackers to retrieve job task information. This long read post will provide a detailed analysis of this vulnerability, including a code snippet from the affected source code, links to original references, and exploit details.

The vulnerability lies in the following portion of the affected source code

@app.route('/jobs')
def create_job():
    if not session.get('authenticated', False):
        abort(401)
    do_something_sensitive()

The timing condition vulnerability results from a lack of proper synchronization between the user's authentication state and the creation of the job object. As a result, an attacker could exploit the timing condition to gain unauthorized access to sensitive job task information.

Original References

The vulnerability has been documented in several security advisory reports, and further information is available in the following original references:

1. The official CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20902
2. The National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-20902
3. Harbor GitHub Repository: https://github.com/goharbor/harbor
4. Harbor Project Documentation: https://goharbor.io/docs/

Exploit Details

The most straightforward way to exploit this vulnerability would be for an attacker to compromise a victim's network connection and issue requests on their behalf. This can be accomplished through a variety of methods, including phishing, credential theft, or employing a man-in-the-middle (MITM) attack.

Once network access has been obtained, an attacker could exploit the vulnerability by issuing a series of carefully timed requests. The attacker would first establish a connection with the Harbor server, then attempt to create a job or stop an existing job task while the victim's authentication status is checked. If the attacker's request is processed before the authentication check is completed, they could potentially gain unauthorized access to sensitive job task information.

Vulnerable organizations should prioritize updating their Harbor container registry to the latest version in order to mitigate the threat posed by CVE-2023-20902. The Harbor development team has released patches addressing this vulnerability:

Conclusion

CVE-2023-20902 is a timing condition vulnerability that affects multiple versions of the Harbor open-source container registry. This vulnerability poses a significant threat to organizations that rely on Harbor for container management. To protect against exploitation, updating to the latest version of Harbor and incorporating security best practices is essential.

Timeline

Published on: 11/09/2023 01:15:07 UTC
Last modified on: 11/16/2023 16:43:24 UTC