Synopsis: Two different privilege escalation possibilities against the IAM implementation of MinIO server were discovered and has been fixed in RELEASE.2019–04–04T18–31–46Z.
Who is affected: All users of the MinIO server are affected. Users of the MinIO gateway are not affected. However, it is still recommended to upgrade.
Recommended Action for Users: All users are advised to upgrade their Minio deployments to the latest version. This issue is fixed in version RELEASE.2019–04–04T18–31–46Z (https://dl.minio.io/server/minio/release/linux-amd64/minio). If users/applications have access to the MinIO server using separate access/secret key pairs (IAM multi-user system) it is recommended to change at least the admin access credentials and check the IAM user access policies. Additionally, you should also change the access credentials of all IAM users.
Description: An authenticated IAM user can access the internal MinIO server configuration.
- The first privilege escalation vulnerability affects all MinIO server and allows an IAM user to read from or write to the internal MinIO server configuration by sending either a malicious S3 API GET/PUT request or a malicious JWT POST request.
- The second privilege escalation vulnerability affects only MinIO servers running in distributed erasure-coded backend mode and allows an IAM user to read from or write to the internal MinIO server configuration using the inter-node communication protocol of the MinIO servers.
The issue was discovered through an internal security audit and a patch has been submitted to only allow requests, authenticated with the admin credentials, to access the internal MinIO server configuration. The patch has been reviewed and accepted, and a new release has been made.
A successful exploit can be used to impersonate other IAM users or obtain the admin credentials, and thereby steal or corrupt your data. Further, it will not cause suspicious server behavior. At the time of writing, this exploit has not been observed in the wild.