CVE-2024-24747
published 2024-01-31CVE-2024-24747: MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.09%
98.2th percentile
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | >= 0 < 0.0.0-20240131185645-0ae4915a9391 | 0.0.0-20240131185645-0ae4915a9391 |
| minio | minio | < RELEASE.2024-01-31T20-20-33Z | RELEASE.2024-01-31T20-20-33Z |
| minio | minio | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /minio/admin/v3/update-service-account with a non-empty body — this is the privilege escalation step where a restricted access key overrides its own policy to gain broader s3:* permissions. ↗
- →Alert on POST to /api/v1/service-account-credentials immediately followed by POST to /minio/admin/v3/update-service-account from the same session/IP — this two-step sequence (create key, then escalate it) is the exploit pattern. ↗
- →Look for the fixed hex payload bytes (e1fd1c29...) in the body of POST requests to the MinIO admin update-service-account endpoint — this is the hardcoded exploit payload used to escalate permissions. ↗
- →Monitor for MinIO versions prior to RELEASE.2024-01-31T20-20-33Z — any instance running an older release is vulnerable to access key privilege inheritance abuse. ↗
- →Detect access keys that successfully call admin:* actions (e.g., update-service-account) when they were created with only s3:* policy scope — this indicates exploitation of the permission inheritance flaw. ↗
- →The exploit uses AWS Signature Version 4 (sign_v4_s3) with region 'us-east-1' and the X-Amz-Content-Sha256 / X-Amz-Date headers — correlate these headers on admin endpoint calls from service accounts to detect abuse. ↗
- ·The exploit targets the MinIO console API port (default 9090) for login/bucket/key management and the MinIO S3 API port (default 9000) for the admin privilege escalation call — both ports must be monitored. ↗
- ·The exploit supports HTTPS targets via a --https flag with TLS verification disabled (verify=False), so detection rules must cover both HTTP and HTTPS traffic on the relevant ports. ↗
- ·The privilege escalation only succeeds if admin:* rights are NOT explicitly denied somewhere in the access-key hierarchy — deployments that explicitly deny admin actions in parent key policies are not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio
osv·2024-06-28
CVE-2024-24747 Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio
GHSA
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
ghsa·2024-02-01
CVE-2024-24747 [HIGH] CWE-269 Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
### Summary
When someone creates an access key, it inherits the permissions of the parent key. Not only for
`s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the
access-key hierarchy, the `admin` rights are denied, access keys will be able to simply
override their own `s3` permissions to something more permissive.
Credit to @xSke for sort of accidentally discovering this. I only understood the implications.
### Details / PoC
We spun up the latest version of minio in a docker container and signed in to the admin UI
using the minio root user. We created two buckets, `public` and `private` and created an
access key called `mycat` and attached the following policy to
OSV
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
osv·2024-02-01
CVE-2024-24747 [HIGH] Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
### Summary
When someone creates an access key, it inherits the permissions of the parent key. Not only for
`s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the
access-key hierarchy, the `admin` rights are denied, access keys will be able to simply
override their own `s3` permissions to something more permissive.
Credit to @xSke for sort of accidentally discovering this. I only understood the implications.
### Details / PoC
We spun up the latest version of minio in a docker container and signed in to the admin UI
using the minio root user. We created two buckets, `public` and `private` and created an
access key called `mycat` and attached the following policy to
No detection rules found.
No writeups or analysis indexed.
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Zhttps://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Zhttps://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4
2024-01-31
Published