Hackers Weaponizing MinIO Storage System flaws to execute remote code on cloud servers

Recent reports indicate two vulnerabilities relating to information disclosure and remote code execution in MinIO, and their proof of concept was publicly disclosed.

Threat actors relied on a non-native solution and exploited these vulnerabilities relatively easily. These vulnerabilities existed on the MinIO, an Amazon S3 cloud storage service.

MinIO is an open-source, high-performance Object storage service that uses Amazon S3 API. It is considered a cost-effective storage solution that can be used for cloud-native applications and backup or archive.

It also has RESTful API and AWS Command Line Interface (CLI) that can be used for adaptability.

CVE-2023-28434 and CVE-2023-28432

According to the reports shared with Cyber Security News, the two highly used vulnerabilities for exploitation were CVE-2023-28434 and CVE-2023-28432. The severities for these vulnerabilities were 7.5 (High) and 8.8 (High), respectively.

A threat actor can exploit CVE-2023-28434 to bypass a bucket name checking and put an object in any S3 bucket when PostPolicyBucket is being processed.

However, there are prerequisites for exploiting this vulnerability, which include credentials with `arn:aws:s3:::*` permission and enabling console API access.

CVE-2023-28432 relates to an information disclosure vulnerability due to a flaw in a cluster deployment in RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z.

These MinIO deployments return all variables, including `MINIO_SECRET_KEY` and MINIO_ROOT_PASSWORD, which can be used by threat actors for malicious purposes.

A GitHub repository under the name evil_minio, which contains a proof-of-concept for these vulnerabilities, was publicly disclosed, raising suspicion of any relation between the attackers and the publisher. 

A complete report about the investigation has been published by Security Joes, which provides detailed information about the exploitation, indicators of compromise, and YARA rules for detection.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.