Headline
GHSA-2pxw-r47w-4p8c: Privilege Escalation on Linux/MacOS
Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket
. To carry out this attack, the attacker requires credentials with arn:aws:s3:::*
permission, as well as enabled Console API access.
Patches
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
Workarounds
Browser API access must be enabled turning off MINIO_BROWSER=off
allows for this workaround.
References
The vulnerable code:
// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// ...
// For all other requests reject access to reserved buckets
bucketName, _ := request2BucketObjectName(r)
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
if ok {
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
}
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
return
}
}
// ...
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-28434
Privilege Escalation on Linux/MacOS
High severity GitHub Reviewed Published Mar 21, 2023 in minio/minio • Updated Sep 5, 2023
Package
gomod github.com/minio/minio (Go)
Affected versions
< 0.0.0-202303200415
Patched versions
0.0.0-202303200415
Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.
Patches
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
Workarounds
Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.
References
The vulnerable code:
// minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // … // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName® if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq® && !guessIsBrowserReq® && !guessIsHealthCheckReq® && !guessIsMetricsReq® && !isAdminReq® && !isKMSReq® { if ok { tc.FuncName = “handler.ValidRequest” tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // …
References
- GHSA-2pxw-r47w-4p8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-28434
- minio/minio#16849
- minio/minio@67f4ba1
Published to the GitHub Advisory Database
Sep 5, 2023
Related news
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.