**Hardcoded Credentials Vulnerability in GoHarbor's Harbor: A Cybersecurity Threat**
A recent discovery in the cybersecurity landscape has highlighted a critical vulnerability in the open-source container registry project, GoHarbor's Harbor. The default administrator account and password, set to "admin" and "Harbor12345" respectively, pose a significant risk if left unchanged during initial deployment. An attacker with knowledge of these hardcoded credentials can gain full administrative access to the Harbor registry, compromising the security of stored container images and enabling supply-chain attacks.
The vulnerability, reported by notnotnotveg (thanks for bringing it to our attention!), affects Harbor's OCI-compliant container registry project, which stores, signs, and manages container images. Upon installation, Harbor initializes with a default administrator account and password, configured through the harbor_admin_password parameter in the harbor.yml file. While operators are expected to change these credentials during or after deployment, Harbor does not enforce a password change during setup or upon first login.
**The Risks of Unchanged Default Credentials**
If the default credentials remain unchanged, a remote attacker can authenticate using the publicly known password to gain full administrative access to the Harbor registry. This allows for several malicious actions:
* **Supply-chain attacks**: An attacker with administrative privileges can overwrite or inject malicious container images, enabling remote code execution in downstream CI/CD pipelines and Kubernetes environments. * **Persistent access**: The attacker can create new users, robot accounts, or API tokens to establish persistent access to the Harbor registry. * **Weakened security controls**: Administrative privileges allow an attacker to disable security controls such as vulnerability scanning, signature enforcement, and role-based access controls.
Additionally, sensitive images can be exfiltrated by configuring replication to external registries or downloading artifacts directly. In extreme cases, administrative privileges also enable destructive actions like deleting repositories or corrupting artifacts, resulting in service disruption and loss of system integrity.
**Prevention and Mitigation**
Operators should change the default administrative password either before or immediately after deployment through the Harbor web interface or by specifying a unique value for harbor_admin_password in harbor.yml during installation. This simple step can prevent unauthorized access to the Harbor registry.
To address this vulnerability, a fix has been proposed to remove or randomize default credentials during installation (see GitHub pull request: https://github.com/goharbor/harbor/pull/19188). This will ensure that operators are prompted to change the default password upon initial deployment, reducing the risk of unauthorized access.
In conclusion, the hardcoded credentials vulnerability in GoHarbor's Harbor highlights the importance of secure configuration practices and regular security audits. By staying informed about emerging threats and vulnerabilities, you can protect your organization from potential security breaches and ensure the integrity of your container registry.