cbcvebase.
CVE-2024-24747
published 2024-01-31

CVE-2024-24747: MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.09%
98.2th percentile
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comminio_minio>= 0 < 0.0.0-20240131185645-0ae4915a93910.0.0-20240131185645-0ae4915a9391
miniominio< RELEASE.2024-01-31T20-20-33ZRELEASE.2024-01-31T20-20-33Z
miniominio

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/login
url/api/v1/buckets
url/api/v1/service-account-credentials
url/minio/admin/v3/update-service-account
  • Detect POST requests to /minio/admin/v3/update-service-account with a non-empty body — this is the privilege escalation step where a restricted access key overrides its own policy to gain broader s3:* permissions.
  • Alert on POST to /api/v1/service-account-credentials immediately followed by POST to /minio/admin/v3/update-service-account from the same session/IP — this two-step sequence (create key, then escalate it) is the exploit pattern.
  • Look for the fixed hex payload bytes (e1fd1c29...) in the body of POST requests to the MinIO admin update-service-account endpoint — this is the hardcoded exploit payload used to escalate permissions.
  • Monitor for MinIO versions prior to RELEASE.2024-01-31T20-20-33Z — any instance running an older release is vulnerable to access key privilege inheritance abuse.
  • Detect access keys that successfully call admin:* actions (e.g., update-service-account) when they were created with only s3:* policy scope — this indicates exploitation of the permission inheritance flaw.
  • The exploit uses AWS Signature Version 4 (sign_v4_s3) with region 'us-east-1' and the X-Amz-Content-Sha256 / X-Amz-Date headers — correlate these headers on admin endpoint calls from service accounts to detect abuse.
  • ·The exploit targets the MinIO console API port (default 9090) for login/bucket/key management and the MinIO S3 API port (default 9000) for the admin privilege escalation call — both ports must be monitored.
  • ·The exploit supports HTTPS targets via a --https flag with TLS verification disabled (verify=False), so detection rules must cover both HTTP and HTTPS traffic on the relevant ports.
  • ·The privilege escalation only succeeds if admin:* rights are NOT explicitly denied somewhere in the access-key hierarchy — deployments that explicitly deny admin actions in parent key policies are not vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.