Lucene search

HistorySep 26, 2023 - 12:00 a.m.

MinIO < RELEASE.2023-03-20T20-16-18Z Multiple Vulnerabilities

2023-09-2600:00:00

www.tenable.com

8.7 High

AI Score

Confidence

High

JSON

The version of MinIO installed on the remote host is prior to RELEASE.2023-03-20T20-16-18Z. It is, therefore, affected by multiple vulnerabilities:

When deployed in a cluster/in distributed mode MinIO returns all environment variables, including ‘MINIO_SECRET_KEY’ and ‘MINIO_ROOT_PASSWORD’, resulting in information disclosure. (CVE-2023-28432)
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. (CVE-2023-28434)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(181873);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/13");

  script_cve_id("CVE-2023-28432", "CVE-2023-28434");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/10/10");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/05/12");

  script_name(english:"MinIO < RELEASE.2023-03-20T20-16-18Z Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The MinIO instance installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of MinIO installed on the remote host is prior to RELEASE.2023-03-20T20-16-18Z. It is, therefore, affected
by multiple vulnerabilities:

  - When deployed in a cluster/in distributed mode  MinIO returns all environment variables, including 
  'MINIO_SECRET_KEY' and 'MINIO_ROOT_PASSWORD', resulting in information disclosure. (CVE-2023-28432)

  - An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any
  bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with
  arn:aws:s3:::* permission, as well as enabled Console API access. (CVE-2023-28434)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://blog.min.io/security-advisory-stackedcves/");
  script_set_attribute(attribute:"see_also", value:"https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c");
  script_set_attribute(attribute:"see_also", value:"https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MinIO version RELEASE.2023-03-20T20-16-18Z or later, or apply the workaround mentioned in the vendor advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-28434");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:minio:minio");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("minio_win_installed.nbin", "minio_installed_linux.nbin", "minio_mac_installed.nbin");
  script_require_keys("installed_sw/MinIO");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

var win_local;
if (!empty_or_null(get_kb_item('SMB/Registry/Enumerated')))
  win_local = TRUE;
else
  win_local = FALSE;

vcf::minio::initialize();
var app_info = vcf::get_app_info(app:'MinIO', win_local:win_local);

# not checking config / patch
if (report_paranoia < 2)
  audit(AUDIT_POTENTIAL_VULN);

var constraints = [
  { 'fixed_version': 'RELEASE.2023-03-20T20-16-18Z' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
miniominiocpe:/a:minio:minio

Vendor	Product	Version	CPE
minio	minio		cpe:/a:minio:minio

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28432

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28434

blog.min.io/security-advisory-stackedcves/

github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c

github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

8.7 High

AI Score

Confidence

High

JSON

Related for MINIO_2023-03-20.NASL