Summary

On February 4th 2023, it was observed that a large number of installations of https://github.com/goharbor/harbor use a default JWT key when issuing service tokens. These tokens can be used to push/pull any image from the harbor repo which serves docker containers.

The root cause was a default credential used in the configuration of installing Harbor with https://github.com/goharbor/harbor-helm.

Harbor security advisory: GHSA-j7jh-fmcm-xxwv

Severity

Critical – this key can be used to impersonate an administrative user and push/pull any image.

Proof of Concept

Users of this vulnerable key can be identified by the “key ID” contained in a JWT token response. To identify this key, visit the url:

/service/token?service=harbor-registry&scope=repository:test/test:push

A vulnerable instance will contain the string:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjdXTUE6S1ZYTzpLRjI1OjM1TkE6R0ozNTpaR0tZOlBHWVQ6STVVVDpUR1dZOlVVSTQ6UFQ3WjpYM0tXIiwidHlwIjoiSldUIn0

Decoded this value is:

{"alg":"RS256","kid":"7WMA:KVXO:KF25:35NA:GJ35:ZGKY:PGYT:I5UT:TGWY:UUI4:PT7Z:X3KW","typ":"JWT"}

The key identified by this kid value can be found here:
https://github.com/goharbor/harbor-helm/blob/a658bcafeb6e4e9797763171fd0c8a0dc2c43d2b/cert/tls.key

Timeline

Date reported: 02/18/2023
Date fixed: 03/30/2023
Date disclosed: 06/28/2023