CVE-2023-28433 : Security Advisory and Response

This CVE refers to a privilege escalation vulnerability in Minio on Windows due to path separator manipulation.

Understanding CVE-2023-28433

This vulnerability in Minio affects Windows systems prior to version RELEASE.2023-03-20T20-16-18Z, allowing users with low privileges to create an admin user by manipulating path separators.

What is CVE-2023-28433?

Minio, a Multi-Cloud Object Storage framework, fails to filter the

\\

character, enabling users to place objects across buckets arbitrarily. This means that a user with limited privileges, like an access key, service account, or STS credential restricted to

PutObject

permissions in a specific bucket, can escalate their privileges to that of an admin user.

The Impact of CVE-2023-28433

The impact of this vulnerability is rated as high, with confidentiality, integrity, and availability all being significantly affected. As a user with low privileges can gain admin access, it poses a serious security risk to the Minio storage environment.

Technical Details of CVE-2023-28433

This section delves into the technical aspects of the CVE, including the vulnerability description, affected systems and versions, and the exploitation mechanism.

Vulnerability Description

The vulnerability arises from Minio's failure to filter the

\\

character, allowing unauthorized users to manipulate path separators and gain escalated privileges by creating admin users.

Affected Systems and Versions

All Windows systems running Minio prior to version RELEASE.2023-03-20T20-16-18Z are impacted by this vulnerability.

Exploitation Mechanism

Exploiting this vulnerability involves leveraging the lack of character filtering to manipulate path separators and escalate privileges to admin level within the Minio storage environment.

Mitigation and Prevention

To mitigate the risks associated with CVE-2023-28433, immediate steps should be taken to address the vulnerability and prevent unauthorized privilege escalation.

Immediate Steps to Take

Update Minio to version RELEASE.2023-03-20T20-16-18Z or above to patch the vulnerability and prevent unauthorized privilege escalation.
Monitor access logs and user activities to detect any abnormal behavior or unauthorized attempts to manipulate object placements.

Long-Term Security Practices

Regularly update Minio and other software components to ensure that known vulnerabilities are patched promptly.
Follow the principle of least privilege to restrict user permissions and minimize the impact of potential security breaches.

Patching and Updates

Refer to the Minio security advisories and commits mentioned in the references to stay informed about security patches and updates released by the vendor to address CVE-2023-28433.