Skip to content

Latest commit

 

History

History
88 lines (79 loc) · 9.55 KB

attack-surface.md

File metadata and controls

88 lines (79 loc) · 9.55 KB

Attack Surface Analysis for goharbor/harbor

Attack Surface: Authentication and Authorization Bypass (Web UI & API)

  • Description: Attackers exploit vulnerabilities within Harbor's authentication or authorization mechanisms to gain unauthorized access to the Harbor UI or Registry API. This allows bypassing login procedures or privilege escalation within Harbor.
  • Harbor Contribution: Harbor's specific implementation of authentication (local users, LDAP, OIDC integration) and authorization controls for UI and API access is the direct source of this attack surface. Flaws in Harbor's code handling authentication or role-based access control are exploited.
  • Example:
    • Web UI: An attacker exploits an SQL injection vulnerability in Harbor's login form to bypass authentication and gain admin access.
    • Registry API: An attacker finds a flaw in Harbor's token validation process of the Registry API, allowing unauthorized image push or pull operations.
  • Impact: Complete compromise of the Harbor instance, including access to all projects, images, and sensitive data managed by Harbor. Attackers can manipulate images, delete projects, and potentially gain further access depending on Harbor's environment.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Developers (Harbor Team):
      • Implement rigorous input validation and output encoding throughout Harbor's codebase, especially in authentication and authorization modules.
      • Conduct thorough security testing, including penetration testing and code reviews specifically targeting Harbor's authentication and authorization logic.
      • Follow secure coding practices to prevent common web vulnerabilities like SQL injection, XSS, and command injection within Harbor's development.
      • Keep Harbor's dependencies, especially authentication-related libraries used by Harbor, up to date with the latest security patches.
    • Users (Harbor Deployers/Administrators):
      • Enforce strong password policies for local users if local authentication is used in Harbor.
      • Properly configure and secure integration with external authentication providers (LDAP, OIDC) as configured within Harbor.
      • Regularly review user roles and permissions within Harbor projects and system settings to ensure least privilege access.
      • Monitor Harbor's authentication logs for suspicious activity.

Attack Surface: Image Manifest and Layer Manipulation

  • Description: Attackers exploit vulnerabilities in Harbor's handling of image manifests and layers to inject malicious content into container images or manipulate image metadata within Harbor. This can lead to users unknowingly pulling and running compromised images from Harbor.
  • Harbor Contribution: Harbor's core function of storing, managing, and serving container images makes its image handling logic the direct contributor. Vulnerabilities in Harbor's Registry API or storage backend code related to image processing are exploited.
  • Example:
    • An attacker exploits a vulnerability in Harbor's image layer processing to inject malicious code into a seemingly legitimate image layer stored in Harbor.
    • An attacker manipulates the image manifest within Harbor's storage to point to malicious layers or alter image metadata, misleading users about images pulled from Harbor.
  • Impact: Supply chain compromise originating from Harbor. Users pulling images from the compromised Harbor instance may unknowingly deploy and run malicious containers, leading to security breaches in their environments.
  • Risk Severity: High
  • Mitigation Strategies:
    • Developers (Harbor Team):
      • Implement strict validation and sanitization of image manifests and layers within Harbor's image processing components during push and pull operations.
      • Utilize content addressable storage in Harbor's backend to ensure image immutability and integrity.
      • Implement and enforce content trust mechanisms (e.g., Notary integration) within Harbor to verify image signatures and origins.
      • Regularly audit and review Harbor's image handling code for potential vulnerabilities.
    • Users (Harbor Users):
      • Enable and enforce content trust if configured and used in Harbor (Notary integration).
      • Implement vulnerability scanning for images stored in Harbor and before deployment.
      • Establish processes for verifying the integrity and origin of images pulled from Harbor.
      • Monitor Harbor's image push and pull logs for suspicious activities.

Attack Surface: Insecure Default Configurations

  • Description: Harbor is deployed with insecure default configurations provided by the Harbor installation process, such as default passwords, exposed management ports, or disabled security features. Attackers can exploit these Harbor-specific misconfigurations to gain unauthorized access or compromise the Harbor instance.
  • Harbor Contribution: Harbor's default installation settings and configuration options directly contribute to this attack surface if not properly secured during deployment. The initial state of Harbor as delivered can be insecure if not hardened.
  • Example:
    • Using default administrator credentials provided in Harbor's initial setup allows attackers to easily gain administrative access.
    • Exposing Harbor's components (like database port if default network settings are used) directly to the internet without proper firewall rules.
    • Disabling TLS encryption for communication with Harbor components by default.
  • Impact: Unauthorized access to Harbor, data breaches, denial of service, and potential compromise of the underlying infrastructure hosting Harbor.
  • Risk Severity: High to Critical
  • Mitigation Strategies:
    • Developers (Harbor Team):
      • Provide secure default configurations for Harbor out-of-the-box and clearly document required post-installation security hardening steps specific to Harbor.
      • Implement security checklists and best practices guides tailored for Harbor deployment.
      • Consider automated security configuration tools or scripts to help users deploy Harbor securely following Harbor-specific best practices.
    • Users (Harbor Deployers/Administrators):
      • Immediately change all default passwords upon Harbor installation.
      • Follow security hardening guides and best practices specifically for Harbor deployment.
      • Properly configure network policies and firewalls to restrict access to Harbor components.
      • Enable TLS encryption for all communication channels within Harbor.
      • Regularly review and audit Harbor configurations for security weaknesses.

Attack Surface: Database Vulnerabilities due to Harbor Deployment

  • Description: While general database vulnerabilities exist, this focuses on vulnerabilities arising from how Harbor is deployed and configured with its database (PostgreSQL). Misconfigurations or vulnerabilities in the database setup related to Harbor's deployment process can be exploited.
  • Harbor Contribution: Harbor's deployment process and configuration instructions influence how the database is set up. Insecure default database configurations suggested or implied by Harbor's documentation or setup scripts contribute to this attack surface.
  • Example:
    • Harbor's deployment guide might not sufficiently emphasize strong database password requirements, leading to weak credentials.
    • Default network configurations in Harbor's deployment might expose the database port unnecessarily.
    • Insufficient guidance on database hardening in Harbor's documentation can lead to insecure database setups.
  • Impact: Data breaches, data integrity compromise, denial of service, and potential complete compromise of the Harbor instance and potentially the underlying infrastructure if the database server is compromised due to Harbor-related misconfigurations.
  • Risk Severity: High to Critical
  • Mitigation Strategies:
    • Developers (Harbor Team):
      • Provide clear and strong guidance on secure database configuration specifically for Harbor deployments.
      • Include database hardening best practices in Harbor's documentation and deployment guides.
      • Consider providing secure database configuration scripts or tools as part of Harbor's deployment process.
    • Users (Harbor Deployers/Administrators):
      • Secure the PostgreSQL database server with strong passwords and proper access controls following Harbor's deployment and security recommendations.
      • Regularly update PostgreSQL to the latest stable version with security patches as recommended for Harbor deployments.
      • Harden the database server configuration according to security best practices in the context of Harbor's requirements.
      • Restrict network access to the database server to only necessary components as per Harbor's architecture.
      • Implement database monitoring and auditing to detect suspicious activities related to Harbor's database usage.