Recent reports indicate two vulnerabilities relating to information disclosure and remote code execution in MinIO, and their proof of concept was publicly disclosed.
Threat actors relied on a non-native solution and exploited these vulnerabilities relatively easily. These vulnerabilities existed on the MinIO, an Amazon S3 cloud storage service.
MinIO is an open-source, high-performance Object storage service that uses Amazon S3 API. It is considered a cost-effective storage solution that can be used for cloud-native applications and backup or archive.
It also has RESTful API and AWS Command Line Interface (CLI) that can be used for adaptability.
CVE-2023-28434 and CVE-2023-28432
According to the reports shared with Cyber Security News, the two highly used vulnerabilities for exploitation were CVE-2023-28434 and CVE-2023-28432. The severities for these vulnerabilities were 7.5 (High) and 8.8 (High), respectively.
A threat actor can exploit CVE-2023-28434 to bypass a bucket name checking and put an object in any S3 bucket when PostPolicyBucket is being processed.
However, there are prerequisites for exploiting this vulnerability, which include credentials with `arn:aws:s3:::*` permission and enabling console API access.
CVE-2023-28432 relates to an information disclosure vulnerability due to a flaw in a cluster deployment in RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z.
These MinIO deployments return all variables, including `MINIO_SECRET_KEY` and
MINIO_ROOT_PASSWORD, which can be used by threat actors for malicious purposes.
A GitHub repository under the name evil_minio, which contains a proof-of-concept for these vulnerabilities, was publicly disclosed, raising suspicion of any relation between the attackers and the publisher.