Headline
CVE-2023-28434: Privilege Escalation on Linux/MacOS
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket
. To carry out this attack, the attacker requires credentials with arn:aws:s3:::*
permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off
.
Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object
into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker
requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.
Patches
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
Workarounds
Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.
References
The vulnerable code:
// minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // … // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName® if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq® && !guessIsBrowserReq® && !guessIsHealthCheckReq® && !guessIsMetricsReq® && !isAdminReq® && !isKMSReq® { if ok { tc.FuncName = “handler.ValidRequest” tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // …
Related news
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
### Impact An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. ### Patches ``` commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy <[email protected]> Date: Sun Mar 19 21:15:20 2023 -0700 fix: post policy request security bypass (#16849) ``` ### Workarounds Browser API access must be enabled turning off `MINIO_BROWSER=off` allows for this workaround. ### References The vulnerable code: ```go // minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // ... // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName(r) if isMinioReservedBucket(buc...
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and