MinIO, Authentication Bypass, CVE-2023-XXXX (Critical)

By /

How the CVE Works:

This vulnerability arises due to a flaw in the MinIO server’s handling of SSH key authentication for SFTP connections when LDAP is used as an external identity provider. Normally, MinIO verifies the client’s SSH key against the `sshPublicKey` attribute in the LDAP server. However, if the `sshPublicKey` attribute is missing for a user, the server incorrectly trusts any SSH key provided by the client. This allows an attacker to bypass authentication and gain unauthorized access to perform FTP operations (read, write, delete, list) based on the MinIO access policies associated with the LDAP user or their groups. The bug was introduced in commit minio/minio@91e1487.

DailyCVE Form:

Platform: MinIO

Version: Prior to fix in commit 91e1487

Vulnerability: Authentication Bypass

Severity: Critical

Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Requirements:

  • MinIO server with SFTP and LDAP configured.
  • LDAP user without `sshPublicKey` attribute.
  • Access policies assigned to the user or their groups.

2. Steps:

  • Identify an LDAP user lacking the `sshPublicKey` attribute.
  • Use any SSH key to establish an SFTP connection.
  • Perform unauthorized FTP operations (read/write/delete/list).

3. Exploit Command:

sftp -i /path/to/any/key user@minio-server

Protection:

  1. Patch: Update MinIO to the latest version post-commit 91e1487.
  2. Mitigation: Ensure all LDAP users have the `sshPublicKey` attribute set.

3. Configuration Check:

ldapsearch -x -b "dc=example,dc=com" "(objectClass=person)" sshPublicKey

4. Access Control: Restrict SFTP access to trusted users only.

References:

Code Snippet for LDAP Check:

!/bin/bash
Check for users without sshPublicKey
ldapsearch -x -b "dc=example,dc=com" "(objectClass=person)" sshPublicKey | grep -v "sshPublicKey"

Analytics:

  • Affected Systems: MinIO servers with LDAP and SFTP enabled.
  • Risk Level: High due to potential data exposure and manipulation.
  • Exploit Complexity: Low, as it requires minimal configuration knowledge.

Additional Commands:

  • MinIO Version Check: 
    minio version
  • SFTP Access Logs: 
    tail -f /var/log/minio/sftp.log

URLs:

References:

Reported By: https://github.com/advisories/GHSA-wc79-7x8x-2p58
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top