CVE-2021-21287 Overview
CVE-2021-21287 is a Server-Side Request Forgery (SSRF) vulnerability affecting MinIO, a High Performance Object Storage solution released under Apache License v2.0. In MinIO versions prior to RELEASE.2021-01-30T00-20-58Z, an attacker can exploit functionality for importing data from URLs, publishing data to URLs, or reading data from URLs that can be tampered with.
The attacker can modify calls to this functionality by supplying a completely different URL or by manipulating how URLs are built through path traversal techniques. This allows the attacker to abuse server functionality to read or update internal resources, potentially accessing sensitive server configuration such as AWS metadata, connecting to internal services like HTTP-enabled databases, or performing POST requests towards internal services not intended to be exposed.
Critical Impact
Authenticated attackers can exploit this SSRF vulnerability from the network to read sensitive internal resources including AWS metadata, access internal HTTP-enabled databases, and interact with unexposed internal services, leading to significant confidentiality breaches.
Affected Products
- MinIO versions prior to RELEASE.2021-01-30T00-20-58Z
- MinIO Object Storage with browser front-end enabled
- MinIO deployments with URL import/export functionality exposed
Discovery Timeline
- 2021-02-01 - CVE-2021-21287 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21287
Vulnerability Analysis
This SSRF vulnerability exists in MinIO's URL handling functionality within the web handlers component. The vulnerability is classified under CWE-918 (Server-Side Request Forgery), indicating that the application accepts user-controlled URLs without proper validation, allowing attackers to craft requests that the server will execute on their behalf.
The attack requires low privileges (authenticated access) and can be executed remotely over the network with no user interaction required. What makes this vulnerability particularly dangerous is its ability to affect resources beyond the vulnerable component's security scope, enabling attackers to reach internal network resources that would otherwise be inaccessible.
Root Cause
The root cause lies in insufficient validation and sanitization of user-supplied URLs in the cmd/web-handlers.go component. The LoginSTS functionality was implemented in a manner that allowed external URL manipulation. The fix involved making LoginSTS an inline implementation to prevent the SSRF attack vector, as well as improving error handling to avoid information disclosure through error messages.
Attack Vector
The attack is network-based and requires an authenticated user to exploit. The attacker can:
- Supply a malicious URL to MinIO's data import functionality
- Manipulate URL construction through path traversal techniques
- Force the server to make requests to internal resources
- Exfiltrate sensitive data such as AWS instance metadata (commonly at http://169.254.169.254/)
- Interact with internal HTTP services not intended for external access
The security patch addresses this by modifying how STS login is implemented and improving error handling:
default:
apiErr = APIError{
Code: apiErr.Code,
Description: fmt.Sprintf("%s: cause(%v)", apiErr.Description, err),
HTTPStatusCode: apiErr.HTTPStatusCode,
}
}
}
Source: GitHub Commit eb6871e
Detection Methods for CVE-2021-21287
Indicators of Compromise
- Unusual outbound requests from MinIO servers to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254
- Unexpected URL patterns in MinIO access logs containing internal hostnames or IP addresses
- Authentication attempts followed by requests to non-standard endpoints
Detection Strategies
- Monitor MinIO server logs for requests containing internal IP addresses or cloud metadata URLs
- Implement network-level detection for SSRF patterns using IDS/IPS rules targeting internal IP range requests from web servers
- Configure web application firewalls to detect and block URL manipulation attempts in MinIO requests
- Review authentication logs for unusual STS login patterns that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging on MinIO servers and centralize logs for analysis
- Implement alerting on requests to RFC1918 private IP ranges and link-local addresses from MinIO instances
- Monitor for unusual data exfiltration patterns or unexpected network connections from MinIO servers
- Deploy network segmentation to limit the impact of successful SSRF exploitation
How to Mitigate CVE-2021-21287
Immediate Actions Required
- Upgrade MinIO to version RELEASE.2021-01-30T00-20-58Z or later immediately
- If immediate upgrade is not possible, disable the browser front-end using the MINIO_BROWSER=off environment variable
- Review network segmentation to limit MinIO server access to internal resources
- Audit recent MinIO logs for any signs of exploitation
Patch Information
MinIO has released a security patch in version RELEASE.2021-01-30T00-20-58Z that addresses this vulnerability. The fix is documented in GitHub Pull Request #11337 and implemented in commit eb6871e. All users are strongly advised to upgrade to this version or later.
Additional resources:
Workarounds
- Disable the MinIO browser front-end by setting the MINIO_BROWSER=off environment variable if upgrading is not immediately possible
- Implement strict network egress filtering to prevent the MinIO server from making requests to internal networks
- Deploy a web application firewall (WAF) configured to detect and block SSRF attack patterns
- Restrict MinIO server network access using firewall rules to only necessary external endpoints
# Disable MinIO browser front-end as workaround
export MINIO_BROWSER=off
# Restart MinIO service to apply the change
systemctl restart minio
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
