Security Advisory
Synopsis: Possibility of authentication bypass against the MinIO server Admin API was discovered and has been fixed in RELEASE.2018–01–18T20–33–21Z.
Severity: Critical
Who is affected: All users of AWS Signature V2 without TLS or AWS Signature V2 pre-signed requests are affected. If you are using AWS Signature V4 for pre-signed requests you are not affected. If you are using AWS Signature V2 with TLS and no V2 pre-signed requests you are not affected. However, it is still recommended to upgrade.
Recommended Action for Users: All users are advised to upgrade their MinIO deployments to the latest version. This issue is fixed in version RELEASE.2018–01–18T20–33–21Z (download). If you are using AWS Signature V2 it is also recommended to change your MinIO access credentials.
Description: An AWS Signature V2 request can be modified to trigger Admin API calls. With such malicious requests it is possible to obtain the server configuration — including access credentials — through the Admin API.
The issue was discovered through an internal security audit and a patch has been submitted to fix the exploit by accepting only AWS Signature V4 signed requests for Admin API calls. The patch has been reviewed and accepted, and a new release has been made.
A successful exploit can be used to obtain the server credentials, and thereby steal or corrupt your data. Further it will not cause suspicious server behavior. At the time of writing, this exploit has not been observed in the wild.