From e75a27700ee177821194729a99d55584e3af5a6b Mon Sep 17 00:00:00 2001 From: Maximand Date: Tue, 26 Sep 2023 12:12:35 +0200 Subject: [PATCH] Casefile MinIO --- _cases/2023/DIVD-2023-00037.md | 54 ++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 _cases/2023/DIVD-2023-00037.md diff --git a/_cases/2023/DIVD-2023-00037.md b/_cases/2023/DIVD-2023-00037.md new file mode 100644 index 00000000..def2b17d --- /dev/null +++ b/_cases/2023/DIVD-2023-00037.md @@ -0,0 +1,54 @@ +--- +layout: case +title: Security Feature Bypass in MinIO +excerpt: "An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket, resulting in compromise of the server." +author: Max van der Horst +lead: Alwin Warringa +researchers: +- Alwin Warringa +cves: +- CVE-2023-28432 +- CVE-2023-28434 +product: +- MinIO Storage System +versions: +- All versions before RELEASE.2023-03-20T20-16-18Z +recommendation: Upgrade by installing the issued patch as soon as possible or apply the mentioned workaround. +patch_status: patches available +workaround: Enable Browser API Access and disable 'MINIO_BROWSER' +status : Open +start: 2023-09-26 +end: +timeline: +- start: 2023-09-26 + end: + event: "DIVD starts scanning for this vulnerability." +- start: 2023-09-26 + end: + event: "First version of this casefile." + +# You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials) +--- +## Summary + +Prior to MinIO version RELEASE.2023-03-020T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. + +## Recommendations + +Install the patched version of RELEASE.2023-03-20T20-16-18Z or apply the workaround by enabling browser API access and turning off `MINIO_BROWSER`. + +## What we are doing + +DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps. + + +{% comment %} Leave this here, so we see a timeline {% endcomment %} +{% include timeline.html %} + + +## More information + +* [CVE-2023-28432](https://nvd.nist.gov/vuln/detail/CVE-2023-28432) +* [CVE-2023-28434](https://nvd.nist.gov/vuln/detail/CVE-2023-28434) +* [HackerNews Article](https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html) +* [MinIO Advisory](https://blog.min.io/tag/security-advisory/)