Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MinIO #676

Merged
merged 1 commit into from
Sep 26, 2023
Merged

MinIO #676

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions _cases/2023/DIVD-2023-00037.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
layout: case
title: Security Feature Bypass in MinIO
excerpt: "An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket, resulting in compromise of the server."
author: Max van der Horst
lead: Alwin Warringa
researchers:
- Alwin Warringa
cves:
- CVE-2023-28432
- CVE-2023-28434
product:
- MinIO Storage System
versions:
- All versions before RELEASE.2023-03-20T20-16-18Z
recommendation: Upgrade by installing the issued patch as soon as possible or apply the mentioned workaround.
patch_status: patches available
workaround: Enable Browser API Access and disable 'MINIO_BROWSER'
status : Open
start: 2023-09-26
end:
timeline:
- start: 2023-09-26
end:
event: "DIVD starts scanning for this vulnerability."
- start: 2023-09-26
end:
event: "First version of this casefile."

# You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials)
---
## Summary

Prior to MinIO version RELEASE.2023-03-020T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

## Recommendations

Install the patched version of RELEASE.2023-03-20T20-16-18Z or apply the workaround by enabling browser API access and turning off `MINIO_BROWSER`.

## What we are doing

DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps.


{% comment %} Leave this here, so we see a timeline {% endcomment %}
{% include timeline.html %}


## More information

* [CVE-2023-28432](https://nvd.nist.gov/vuln/detail/CVE-2023-28432)
* [CVE-2023-28434](https://nvd.nist.gov/vuln/detail/CVE-2023-28434)
* [HackerNews Article](https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html)
* [MinIO Advisory](https://blog.min.io/tag/security-advisory/)