Menu
MinIO is a High-Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with the Amazon S3 cloud storage service. It can handle unstructured data such as photos, videos, log files, backups, and container images with a current maximum supported object size of 50TB.
Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket.
To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.
As part of an “exploit chain” involving both CVE-2023-28432 and CVE-2023-28434, an attacker may be able to perform unauthorised Execution of Arbitrary Code. In the attack chain, the flaws are said to have been weaponized by the adversary to obtain admin credentials and abuse the foothold to replace the MinIO client on the host with a trojanized version by triggering an update command specifying a MIRROR_URL.
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of DATE. Prioritisation should be given to remediation in any impacted environment.
It is believed that around 30,000 instances of MinIO worldwide may be vulnerable at the time of writing (2023-09-20).
This issue has been patched in RELEASE.2023-03-20T20-16-18Z. Update to the latest version. Releases can be downloaded from the MinIO downloads page, at https://min.io/download#/kubernetes.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
As a temporary mitigation or workaround, enable browser API access and turn off MINIO_BROWSER=off.
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
References:
Category: Arbitrary Code Execution
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
