Understanding the Attack Vector for CVE-2023-28432 and CVE-2023-28434

On September 4th, it was uncovered that an unknown threat actor had attacked publicly available MinIO object storage clusters. The attackers exploited two known security vulnerabilities in the MinIO server: CVE-2023-28432 and CVE-2023-28434 Both vulnerabilities had been reported and fixed on March 19th and 20th, and a new release, RELEASE.2023-03-20T20-16-18Z, was published on the same day. Both CVEs were

Read more...

Certificate-based Authentication for S3

Certificate-based Authentication for S3

Security is paramount at MinIO and sits up there with performance, simplicity and resilience in the pantheon of things that matter. MinIO encrypts data when stored on disk and when transmitted over the network. MinIO’s state-of-the-art encryption schemes support granular object-level encryption using modern, industry-standard encryption algorithms, such as AES-256-GCM, ChaCha20-Poly1305, and AES-CBC. MinIO is fully compatible with S3

Read more...

Security Advisory

Synopsis: A signature verification bypass vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-03-17T02-33-02Z [https://github.com/minio/minio/releases/tag/RELEASE.2021-03-17T02-33-02Z]. Severity: Medium Who is affected: All users of the MinIO server version before RELEASE.2021-03-17T02-33-02Z  affected. Users access MinIO over TLS are not affected. Recommended Action for Users: All users are advised

Read more...

Security Advisory

Synopsis: A server-side request forgery (SSRF) vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-01-30T00-20-58Z [https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z]. Severity: Medium Who is affected: All users of the MinIO server version RELEASE.2019-12-17T23-16-33Z or newer are affected. Users that have disabled the MinIO browser UI are not affected. Recommended Action

Read more...

The Raccoon Attack - It Is All About The Timing

The Raccoon Attack - It Is All About The Timing

Two days ago, on Sep. 08, research teams from Germany and Israel published a  joint research paper [https://raccoon-attack.com/RacoonAttack.pdf] describing another TLS timing attack - called Raccoon. This attack targets all TLS versions up to 1.2. The new attack [https://raccoon-attack.com/] exploits a timing side-channel during the TLS handshake when the Diffie-Hellman (DH) key exchange

Read more...