Headline
Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and
Vulnerability / Server Security
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers.
Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance.
The comprises CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023.
The two vulnerabilities “possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational,” Security Joes said in a report shared with The Hacker News.
In the attack chain investigated by the company, the flaws are said to have been weaponized by the adversary to obtain admin credentials and abuse the foothold to replace the MinIO client on the host with a trojanized version by triggering an update command specifying a MIRROR_URL.
“The mc admin update command updates all MinIO servers in the deployment,” the MinIO documentation reads. “The command also supports using a private mirror server for environments where the deployment does not have public internet access.”
“The culmination of these actions permits the attacker to orchestrate a deceptive update,” Security Joes said. “By replacing the authentic MinIO binary with its ‘evil’ counterpart, the attacker seals the compromise of the system.”
The malicious modifications to the binary expose an endpoint that receives and executes commands via HTTP requests, effectively acting as a backdoor. The commands inherit the system permissions of the user who initiated the application.
UPCOMING WEBINAR
Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security
Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.
Supercharge Your Skills
It’s worth noting that the altered version of the binary is a replica of an exploit named Evil MinIO that was published on GitHub in early April 2023. That said, there is no evidence to suggest a connection between the two.
What’s evident is that the threat actor is proficient in working with bash scripts and Python, not to mention take advantage of the backdoor access to drop supplementary payloads from a remote server for post-exploitation via a downloader script.
The script, capable of targeting both Windows and Linux environments, functions as a gateway to profile the compromised hosts, based on which it’s determined whether the execution must be terminated or not.
“This dynamic approach underscores the threat actor’s strategic approach in optimizing their efforts based on the perceived value of the compromised system,” Security Joes said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
### Impact An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. ### Patches ``` commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy <[email protected]> Date: Sun Mar 19 21:15:20 2023 -0700 fix: post policy request security bypass (#16849) ``` ### Workarounds Browser API access must be enabled turning off `MINIO_BROWSER=off` allows for this workaround. ### References The vulnerable code: ```go // minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // ... // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName(r) if isMinioReservedBucket(buc...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.