CVE-2023-28434 : Exploit Details and Defense Strategies

This article provides detailed information about CVE-2023-28434, focusing on the vulnerability found in MinIO, a multi-cloud object storage framework, leading to privilege escalation on Linux/MacOS systems.

Understanding CVE-2023-28434

CVE-2023-28434 highlights a vulnerability in MinIO where an attacker can exploit crafted requests to bypass metadata bucket name checking, allowing them to put an object into any bucket while processing

PostPolicyBucket

.

What is CVE-2023-28434?

MinIO, known as a multi-cloud object storage framework, had a security issue prior to RELEASE.2023-03-20T20-16-18Z, enabling an attacker to manipulate requests and insert objects into unauthorized buckets. This attack requires specific permissions and enabled Console API access.

The Impact of CVE-2023-28434

The impact of this vulnerability is significant, as it allows attackers to escalate their privileges on Linux and MacOS systems. With a high CVSS base score of 8.8, the confidentiality, integrity, and availability of the affected systems are at risk.

Technical Details of CVE-2023-28434

The vulnerability in MinIO (pre-RELEASE.2023-03-20T20-16-18Z) is categorized under CWE-269: Improper Privilege Management.

Vulnerability Description

The flaw enables an attacker to bypass metadata bucket name checking and place objects in unauthorized buckets by manipulating crafted requests during

PostPolicyBucket

processing.

Affected Systems and Versions

MinIO versions before RELEASE.2023-03-20T20-16-18Z are affected by this vulnerability. Users are advised to update to the patched version to mitigate the risk.

Exploitation Mechanism

To exploit this vulnerability, an attacker needs credentials with specific permissions (arn:aws:s3:::*) and enabled Console API access, allowing them to carry out privileged actions.

Mitigation and Prevention

It is crucial to take immediate steps to mitigate the risks posed by CVE-2023-28434 and implement long-term security practices to prevent such vulnerabilities in the future.

Immediate Steps to Take

Update MinIO to the patched version RELEASE.2023-03-20T20-16-18Z to eliminate the vulnerability.
Enable browser API access and disable

MINIO_BROWSER=off

as a temporary workaround.

Long-Term Security Practices

Regularly update software and frameworks to the latest versions to ensure security patches are applied.
Monitor and restrict permissions to minimize the impact of potential privilege escalation attacks.
Conduct periodic security audits and vulnerability assessments to identify and address security gaps proactively.

Patching and Updates

Refer to the MinIO security advisories (GHSA-2pxw-r47w-4p8c) for detailed information on the patch release and follow the provided update instructions to secure your MinIO deployment.