Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2pxw-r47w-4p8c: Privilege Escalation on Linux/MacOS

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date:   Sun Mar 19 21:15:20 2023 -0700

    fix: post policy request security bypass (#16849)

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code:

// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    // ...
    // For all other requests reject access to reserved buckets
    bucketName, _ := request2BucketObjectName(r)
    if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
      if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
        if ok {
          tc.FuncName = "handler.ValidRequest"
          tc.ResponseRecorder.LogErrBody = true
        }
        writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
        return
      }
    }
    // ...
ghsa
#mac#linux#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-28434

Privilege Escalation on Linux/MacOS

High severity GitHub Reviewed Published Mar 21, 2023 in minio/minio • Updated Sep 5, 2023

Package

gomod github.com/minio/minio (Go)

Affected versions

< 0.0.0-202303200415

Patched versions

0.0.0-202303200415

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date:   Sun Mar 19 21:15:20 2023 -0700

    fix: post policy request security bypass (#16849)

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code:

// minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // … // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName® if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq® && !guessIsBrowserReq® && !guessIsHealthCheckReq® && !guessIsMetricsReq® && !isAdminReq® && !isKMSReq® { if ok { tc.FuncName = “handler.ValidRequest” tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // …

References

  • GHSA-2pxw-r47w-4p8c
  • https://nvd.nist.gov/vuln/detail/CVE-2023-28434
  • minio/minio#16849
  • minio/minio@67f4ba1

Published to the GitHub Advisory Database

Sep 5, 2023

Related news

Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability

Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and

CVE-2023-28434: Privilege Escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.