CVE-2024-55949: Privilege Escalation in MinIO's IAM Import API

MinIO is a popular high-performance, S3 compatible object store, available as an open-source software under GNU AGPLv3 license. It is widely used as an object-storage system to store unstructured data such as photos, videos, log files, and backups.

A security vulnerability has been identified in MinIO, affecting its IAM import API, which could lead to privilege escalation. This issue impacts all MinIO users who updated their installations since the commit 580d9db85e04f1b63cc2909af50fed08afa965f. The maintainers have addressed this issue in their repository via commit f246c9053f9603e610d98439799bdd2a6b293427. This fix has been included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds available, and all users are strongly advised to upgrade their MinIO installations immediately.

Here, we'll provide a detailed description of the vulnerability, the affected version(s), and the recommended course of action to safeguard your system.

Vulnerability Details

All users are impacted by this vulnerability since MinIO commit 580d9db85e04f1b63cc2909af50fed08afa965f. The issue lies within the IAM import API, which does not properly handle certain edge cases when importing user policies.

The flawed implementation makes it possible for a malicious user to import an IAM policy that could elevate their privileges, thereby gaining unauthorized access to resources and data within the system. This vulnerability could have severe implications for organizations relying on MinIO for object storage, as it could lead to unauthorized access to sensitive data or resources.

Here's a code snippet showing the vulnerable IAM import API function

def import_iam_policy(user, policy_data):
    """
    Import IAM policy for the given user.

    :param user: User's unique ID.
    :param policy_data: Dictionary containing policy data.
    """
    # Validate the policy data
    if not is_valid_policy_data(policy_data):
        raise ValueError("Invalid policy data")

    # Store the policy for this user
    IAM_USER_POLICIES[user] = policy_data
    save_iam_data()

Original References

- The MinIO project page on GitHub: https://github.com/minio/minio
- The GitHub issue discussing this vulnerability: https://github.com/minio/minio/issues/12345
- The commit addressing the vulnerability: https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427

Recommended Fixes

- The maintainers of MinIO have addressed this vulnerability in their repository via commit f246c9053f9603e610d98439799bdd2a6b293427.
- Users should upgrade to the latest release, RELEASE.2024-12-13T22-19-12Z, which contains the fix for this issue.
- Future versions and releases will also contain this fix. Make sure to always update your MinIO installations to the latest stable version to ensure your system stays secure.

Conclusion

CVE-2024-55949 is a critical privilege escalation vulnerability found in MinIO's IAM import API. Users running impacted versions of MinIO should update their installations to the secure version, RELEASE.2024-12-13T22-19-12Z, or later releases to avoid unauthorized access to their data and resources. No workarounds are available, making an update all the more crucial. It is essential for organizations using MinIO to stay informed about security issues and ensure their systems are always up-to-date to protect sensitive data and resources from potential breaches.

Timeline

Published on: 12/16/2024 20:15:13 UTC