=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN394

_____________________________________________________________________

DATE                : 11/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Harbor versions prior to 2.8.3,
                                      2.7.3, 1.10.18.

=====================================================================
https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf
_____________________________________________________________________


Timing attack risk in Harbor
Moderate
stonezdj published GHSA-mq6f-5xh5-hgcf


Package
Harbor

Affected versions
<2.8.3 <2.7.3 <1.10.18

Patched versions
v2.8.3, v2.7.3, v1.10.18


Description

In the Harbor jobservice container, the comparison of secrets in the
authenticator type is prone to timing attacks. The vulnerability
occurs due to the following code:

harbor/src/jobservice/api/authenticator.go

Line 69 in aaea068
  if expectedSecret != secret {
To avoid this issue, constant time comparison should be used.

subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0


Impact

This attack might be possible theoretically, but no workable proof
of concept is available, and access complexity is set at High.


The jobservice exposes these APIs

Create a job task --- POST /api/v1/jobs    Get job task information --- 
GET /api/v1/jobs/{job_id}
Stop job task ---  POST /api/v1/jobs/{job_id}
Get job log task ---  GET /api/v1/jobs/{job_id}/log
Get job execution --- GET /api/v1/jobs/{job_id}/executions
Get job stats ---  GET /api/v1/stats
Get job service configuration ---  GET /api/v1/config

It is used to create jobs/stop job tasks and retrieve job task
information. If an attacker obtains the secrets, it is possible
to retrieve the job information, create a job, or stop a job task.

The following versions of Harbor are involved:
<=Harbor 2.8.2, <=Harbor 2.7.2, <= Harbor 2.6.x, <=Harbor 1.10.17


Patches

Harbor 2.8.3, Harbor 2.7.3, Harbor 1.10.18


Workarounds

Because the jobservice only exposes HTTP service to harbor-core
containers, blocking any inbound traffic from the external
network to the jobservice container can reduce the risk.


Credits

Thanks to Porcupiney Hairs for reporting this issue.

Severity
Moderate

CVE ID
CVE-2023-20902

Weaknesses
No CWEs



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================