CVE-2023-28433: Minio Privilege Escalation Vulnerability

CVE-2023-28433 Overview

CVE-2023-28433 is a path traversal and privilege escalation vulnerability in MinIO, a popular Multi-Cloud Object Storage framework. The vulnerability affects all MinIO installations running on Windows systems prior to version RELEASE.2023-03-20T20-16-18Z. Due to improper input validation, MinIO fails to filter the backslash (\) character in object paths, enabling attackers with minimal permissions to place objects in arbitrary buckets and escalate privileges to administrator level.

Critical Impact
A low-privileged user with only PutObject permissions on a specific bucket can exploit this vulnerability to create admin user accounts, resulting in complete compromise of the MinIO deployment.

Affected Products

MinIO on Windows prior to version RELEASE.2023-03-20T20-16-18Z
MinIO deployments using access keys, service accounts, or STS credentials with limited PutObject permissions
Any Windows-based MinIO infrastructure without proper path validation controls

Discovery Timeline

2023-03-22 - CVE-2023-28433 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-28433

Vulnerability Analysis

This vulnerability represents a classic path traversal flaw combined with authorization bypass, specific to Windows-based MinIO deployments. The core issue lies in MinIO's failure to properly sanitize the backslash character (\) in object key paths on Windows systems.

On Windows, both forward slashes (/) and backslashes (\) are valid path separators. While MinIO properly filters forward slashes to prevent directory traversal attacks, it neglects to apply the same validation to backslashes. This oversight allows an attacker to craft malicious object paths that escape the intended bucket boundaries.

The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere), as it allows resources to be placed in locations outside the authorized scope. An attacker with minimal PutObject privileges in a single bucket can leverage this flaw to write objects to any bucket on the system, including administrative configuration buckets.

Root Cause

The root cause is insufficient input validation in MinIO's path handling logic on Windows platforms. The application fails to normalize and sanitize path separators consistently across different operating systems. Specifically, the backslash character is not treated as a potential directory separator or escape character when processing object keys on Windows systems.

This creates a path traversal condition where specially crafted object names containing backslashes can reference parent directories or entirely different bucket namespaces, bypassing the intended bucket-level access controls.

Attack Vector

The attack vector is network-based and requires only low-level authenticated access. An attacker can exploit this vulnerability through the following mechanism:

The attacker authenticates to MinIO with credentials that have PutObject permission limited to a specific bucket
The attacker crafts a PutObject request with an object key containing backslash characters that traverse outside the authorized bucket
Due to missing validation, MinIO processes the request and writes the object to the attacker-specified location
By targeting administrative configuration files or user management paths, the attacker can create new admin user accounts
The attacker authenticates with the newly created admin credentials, achieving full system compromise

Since no user interaction is required and the attack can be performed remotely over the network, this vulnerability poses a significant risk to Windows-based MinIO deployments exposed to untrusted users or networks.

Detection Methods for CVE-2023-28433

Indicators of Compromise

Unexpected objects appearing in buckets that should not be accessible to certain users or service accounts
New administrative users created without authorization or audit trail from legitimate admin actions
API requests containing backslash characters (\) in object key paths
Unusual PutObject activity from service accounts or access keys with limited permissions

Detection Strategies

Monitor MinIO access logs for object paths containing backslash characters, especially in combination with relative path indicators
Implement alerting for any new admin user creation events and correlate with authorized change requests
Deploy file integrity monitoring on MinIO configuration and IAM-related bucket contents
Review access patterns for service accounts performing PutObject operations outside their designated buckets

Monitoring Recommendations

Enable comprehensive audit logging for all MinIO API operations, particularly write operations
Configure alerts for administrative changes including user creation, policy modifications, and bucket ACL changes
Implement real-time log analysis to detect path traversal patterns in object keys
Deploy network-level monitoring to detect unusual API call patterns from MinIO clients

How to Mitigate CVE-2023-28433

Immediate Actions Required

Upgrade all Windows-based MinIO deployments to version RELEASE.2023-03-20T20-16-18Z or later immediately
Audit existing admin users and service accounts for any unauthorized additions
Review MinIO access logs for evidence of exploitation attempts or successful attacks
Rotate credentials for any accounts that may have been compromised

Patch Information

MinIO has released a patched version that addresses this vulnerability. The fix properly validates and sanitizes path separators on Windows systems, preventing backslash-based path traversal attacks.

Patched Version:RELEASE.2023-03-20T20-16-18Z

For detailed patch information, see the MinIO commit updates and the GitHub Security Advisory.

The official release can be downloaded from the MinIO Release Tag.

Workarounds

According to the security advisory, there are no known workarounds for this vulnerability - upgrading is the only remediation
As a defense-in-depth measure, restrict network access to MinIO deployments from untrusted networks
Implement strict monitoring and alerting for any administrative changes until patching is complete
Consider temporarily disabling or restricting service accounts and access keys with PutObject permissions until the patch is applied

bash

# Upgrade MinIO to patched version on Windows
# Download the latest MinIO release
curl -O https://dl.min.io/server/minio/release/windows-amd64/minio.exe

# Verify the version after upgrade
minio.exe --version
# Should show RELEASE.2023-03-20T20-16-18Z or later

# Review existing admin users for unauthorized entries
mc admin user list myminio

CVE-2023-28433 Overview

Critical Impact
A low-privileged user with only PutObject permissions on a specific bucket can exploit this vulnerability to create admin user accounts, resulting in complete compromise of the MinIO deployment.

Affected Products

MinIO on Windows prior to version RELEASE.2023-03-20T20-16-18Z
MinIO deployments using access keys, service accounts, or STS credentials with limited PutObject permissions
Any Windows-based MinIO infrastructure without proper path validation controls

Discovery Timeline

2023-03-22 - CVE-2023-28433 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-28433

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector is network-based and requires only low-level authenticated access. An attacker can exploit this vulnerability through the following mechanism:

The attacker authenticates to MinIO with credentials that have PutObject permission limited to a specific bucket
The attacker crafts a PutObject request with an object key containing backslash characters that traverse outside the authorized bucket
Due to missing validation, MinIO processes the request and writes the object to the attacker-specified location
By targeting administrative configuration files or user management paths, the attacker can create new admin user accounts
The attacker authenticates with the newly created admin credentials, achieving full system compromise

Detection Methods for CVE-2023-28433

Indicators of Compromise

Unexpected objects appearing in buckets that should not be accessible to certain users or service accounts
New administrative users created without authorization or audit trail from legitimate admin actions
API requests containing backslash characters (\) in object key paths
Unusual PutObject activity from service accounts or access keys with limited permissions

Detection Strategies

Monitor MinIO access logs for object paths containing backslash characters, especially in combination with relative path indicators
Implement alerting for any new admin user creation events and correlate with authorized change requests
Deploy file integrity monitoring on MinIO configuration and IAM-related bucket contents
Review access patterns for service accounts performing PutObject operations outside their designated buckets

Monitoring Recommendations

Enable comprehensive audit logging for all MinIO API operations, particularly write operations
Configure alerts for administrative changes including user creation, policy modifications, and bucket ACL changes
Implement real-time log analysis to detect path traversal patterns in object keys
Deploy network-level monitoring to detect unusual API call patterns from MinIO clients

How to Mitigate CVE-2023-28433

Immediate Actions Required

Upgrade all Windows-based MinIO deployments to version RELEASE.2023-03-20T20-16-18Z or later immediately
Audit existing admin users and service accounts for any unauthorized additions
Review MinIO access logs for evidence of exploitation attempts or successful attacks
Rotate credentials for any accounts that may have been compromised

Patch Information

MinIO has released a patched version that addresses this vulnerability. The fix properly validates and sanitizes path separators on Windows systems, preventing backslash-based path traversal attacks.

Patched Version:RELEASE.2023-03-20T20-16-18Z

For detailed patch information, see the MinIO commit updates and the GitHub Security Advisory.

The official release can be downloaded from the MinIO Release Tag.

Workarounds

According to the security advisory, there are no known workarounds for this vulnerability - upgrading is the only remediation
As a defense-in-depth measure, restrict network access to MinIO deployments from untrusted networks
Implement strict monitoring and alerting for any administrative changes until patching is complete
Consider temporarily disabling or restricting service accounts and access keys with PutObject permissions until the patch is applied

bash

# Upgrade MinIO to patched version on Windows
# Download the latest MinIO release
curl -O https://dl.min.io/server/minio/release/windows-amd64/minio.exe

# Verify the version after upgrade
minio.exe --version
# Should show RELEASE.2023-03-20T20-16-18Z or later

# Review existing admin users for unauthorized entries
mc admin user list myminio

CVE-2023-28433: Minio Privilege Escalation Vulnerability

CVE-2023-28433 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-28433

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-28433

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-28433

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-28433: Minio Privilege Escalation Vulnerability

CVE-2023-28433 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-28433

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-28433

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-28433

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform