Skip to content

Harbor timing attack risk

Moderate severity GitHub Reviewed Published Oct 8, 2023 in goharbor/harbor • Updated Nov 16, 2023

Package

gomod github.com/goharbor/harbor (Go)

Affected versions

< 1.10.18
>= 2.0.0, < 2.7.3
>= 2.8.0, < 2.8.3

Patched versions

1.10.18
2.7.3
2.8.3

Description

In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69
To avoid this issue, constant time comparison should be used.

subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0

Impact

This attack might be possible theoretically, but no workable proof of concept is available, and access complexity is set at High.
The jobservice exposes these APIs

Create a job task --- POST /api/v1/jobs    
Get job task information --- GET /api/v1/jobs/{job_id}
Stop job task ---  POST /api/v1/jobs/{job_id}
Get job log task ---  GET /api/v1/jobs/{job_id}/log
Get job execution --- GET /api/v1/jobs/{job_id}/executions
Get job stats ---  GET /api/v1/stats
Get job service configuration ---  GET /api/v1/config

It is used to create jobs/stop job tasks and retrieve job task information. If an attacker obtains the secrets, it is possible to retrieve the job information, create a job, or stop a job task.

The following versions of Harbor are involved:
<=Harbor 2.8.2, <=Harbor 2.7.2, <= Harbor 2.6.x, <=Harbor 1.10.17

Patches

Harbor 2.8.3, Harbor 2.7.3, Harbor 1.10.18

Workarounds

Because the jobservice only exposes HTTP service to harbor-core containers, blocking any inbound traffic from the external network to the jobservice container can reduce the risk.

Credits

Thanks to Porcupiney Hairs for reporting this issue.

References

@stonezdj stonezdj published to goharbor/harbor Oct 8, 2023
Published to the GitHub Advisory Database Oct 10, 2023
Reviewed Oct 10, 2023
Published by the National Vulnerability Database Nov 9, 2023
Last updated Nov 16, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

0.135%
(50th percentile)

CVE ID

CVE-2023-20902

GHSA ID

GHSA-mq6f-5xh5-hgcf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.