**CRITICAL RISK** CVE-2023-28434 MinIO Vulnerability – Unauthorised Insertion of Arbitrary Objects into Buckets due to Improper Privilege Management in Console API

MinIO is a High-Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with the Amazon S3 cloud storage service. It can handle unstructured data such as photos, videos, log files, backups, and container images with a current maximum supported object size of 50TB.

Background & Context

MinIO is a High-Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with the Amazon S3 cloud storage service. It can handle unstructured data such as photos, videos, log files, backups, and container images with a current maximum supported object size of 50TB.

 

Vulnerability Summary

Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket.

To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

 

Impact If Exploited

As part of an “exploit chain” involving both CVE-2023-28432 and CVE-2023-28434, an attacker may be able to perform unauthorised Execution of Arbitrary Code. In the attack chain, the flaws are said to have been weaponized by the adversary to obtain admin credentials and abuse the foothold to replace the MinIO client on the host with a trojanized version by triggering an update command specifying a MIRROR_URL.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of DATE. Prioritisation should be given to remediation in any impacted environment.

It is believed that around 30,000 instances of MinIO worldwide may be vulnerable at the time of writing (2023-09-20).

 

Affected Product Versions

  • All MinIO versions prior to RELEASE.2023-03-20T20-16-18Z

Indicators of Compromise

Timeline

  • 2023-03-22 – Initial vulnerability report published by NVD
  • 2023-07-19 (approx.) – Exploit chain uncovered by researcher
  • 2023-09-04 – Exploit chain reported by researcher/discovered
  • 2023-09-20 – Exploit chain reported by CISA as being used at scale in the wild

 

Remediation

Official Fix & Remediation Guidance

This issue has been patched in RELEASE.2023-03-20T20-16-18Z. Update to the latest version. Releases can be downloaded from the MinIO downloads page, at https://min.io/download#/kubernetes.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

Temporary Mitigation & Workarounds

As a temporary mitigation or workaround, enable browser API access and turn off MINIO_BROWSER=off.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

References:

Category: Arbitrary Code Execution

 

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch