CVE-2023-28434
published 2023-03-22CVE-2023-28434: Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-10-10
Exploited in the wild
EPSS
6.74%
93.1th percentile
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | >= 0 < 0.0.0-202303200415 | 0.0.0-202303200415 |
| minio | minio | < RELEASE.2023-03-20T20-16-18Z | RELEASE.2023-03-20T20-16-18Z |
| minio | minio | < 2023-03-20t20-16-18z | 2023-03-20t20-16-18z |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2023-28434 exploitation attempts by monitoring HTTP POST requests to MinIO endpoints where the Content-Type header is 'multipart/form-datA' (capital A) — this bypasses the server-side regex check 'multipart/form-data*' which inadvertently matches the truncated string. ↗
- →Monitor for POST requests targeting the '/.minio.sys/' bucket path, especially writing to 'config/iam/service-accounts/' — this is the privilege escalation write path used in exploitation. ↗
- →Alert on use of 'mc admin update' commands pointing to external/untrusted URLs — this is the RCE delivery mechanism chained after CVE-2023-28434 privilege escalation, using the evil_minio project. ↗
- →CVE-2023-28434 is frequently chained with CVE-2023-28432 (information disclosure leaking MINIO_SECRET_KEY / MINIO_ROOT_PASSWORD). Detections should look for both: a POST to /minio/health/cluster or /minio/login for the info-disclosure, followed by PostPolicyBucket abuse. ↗
- →The attack requires credentials with 'arn:aws:s3:::*' permission and enabled Console API access. Audit IAM policies for overly broad S3 wildcard permissions on MinIO instances. ↗
- ·CVE-2023-28434 only affects MinIO versions prior to RELEASE.2023-03-20T20-16-18Z. Instances already patched to this release or later are not vulnerable. ↗
- ·Exploitation requires Console API access to be enabled. Disabling it (MINIO_BROWSER=off) is a documented workaround, though enabling browser API access is the preferred mitigation path. ↗
- ·The regex bypass ('multipart/form-data*' matching 'multipart/form-dat') is the root cause. The fix was applied in commit 67f4ba154a27a1b06e48bfabda38355a010dfca5; WAF rules should normalize or strictly validate Content-Type headers on MinIO endpoints. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Privilege Escalation on Linux/MacOS
ghsa·2023-09-05
CVE-2023-28434 [HIGH] CWE-269 Privilege Escalation on Linux/MacOS
Privilege Escalation on Linux/MacOS
### Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.
### Patches
```
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
```
### Workarounds
Browser API access must be enabled turning off `MINIO_BROWSER=off` allows for this workaround.
### References
The vulnerable code:
```go
// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http
OSV
Privilege Escalation on Linux/MacOS
osv·2023-09-05
CVE-2023-28434 [HIGH] Privilege Escalation on Linux/MacOS
Privilege Escalation on Linux/MacOS
### Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.
### Patches
```
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
```
### Workarounds
Browser API access must be enabled turning off `MINIO_BROWSER=off` allows for this workaround.
### References
The vulnerable code:
```go
// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http
OSV
CVE-2023-28434: Minio is a Multi-Cloud Object Storage framework
osv·2023-03-22·CVSS 8.8
CVE-2023-28434 [HIGH] CVE-2023-28434: Minio is a Multi-Cloud Object Storage framework
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
VulnCheck
MinIO Security Feature Bypass Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-28434 [HIGH] CWE-269 MinIO Security Feature Bypass Vulnerability
MinIO Security Feature Bypass Vulnerability
MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.
Affected: MinIO MinIO
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
CISA
MinIO Security Feature Bypass Vulnerability
cisa·2023-09-19·CVSS 8.8
CVE-2023-28434 [HIGH] CWE-269 MinIO Security Feature Bypass Vulnerability
Vulnerability: MinIO Security Feature Bypass Vulnerability
Affected: MinIO MinIO
MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c; https://nvd.nist.gov/vuln/detail/CVE-2023-28434
Remediation Due Date: 2023-10-10
No detection rules found.
No public exploits indexed.
Greynoiseio
The Seventh Day Of Tagsmas (2023): MinIO Information Disclosure Attempt (CVE-2023-28432)
blogs_greynoiseio·CVSS 7.5
[HIGH] The Seventh Day Of Tagsmas (2023): MinIO Information Disclosure Attempt (CVE-2023-28432)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CTF
minioday / README
ctf_writeups·2024·CVSS 7.5
CVE-2023-28432 [HIGH] minioday / README
# minioday - Real World CTF 6th (web, 11 solved, 290p)
## Introduction
minioday is a web task.
An archive containing a Dockerfile and minion data is given.
The container is using minio in version `RELEASE.2023-03-13T19-46-17Z`.
## Known vulnerabilities
By looking for information about that specific version of minio, one can find
the official [security advisory] from minio's blog.
The advisory mentions two vulnerabilities: [CVE-2023-28432] and
[CVE-2023-28434].
The first vulnerability leaks environment variables from the server.
Since they contain the username and password of the administrator account, an
attacker can use this account to log in and push a malicious update to take over
the machine.
This vulnerability is not exploitable because it requires clustering which has
not been
https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5https://github.com/minio/minio/pull/16849https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8chttps://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5https://github.com/minio/minio/pull/16849https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8chttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434
2023-03-22
Published
2023-09-19
Added to CISA KEV
Exploited in the wild