Impact
AddUser() API endpoint was exposed to a legacy behavior.
i.e it accepts a "policy" field,
This API is mainly used to create a user or update a
user's password.
However, a malicious client can hand-craft an HTTP API call
that allows for updating Policy for a user and gaining
higher privileges.
-
We have not seen any reports of this issue from our customers
or community users. This was reproduced internally during a
regular security audit.
-
There are no known SDKs or client-side tools that expose this behavior.
-
Prior knowledge of Admin API calls is needed to come up with an exploit
and the user must have valid credentials to access the MinIO service.
Patches
Fix changes the accepted request body type and removes the
ability to apply policy changes (legacy) behavior through this API.
Any policy changes are only allowed with the Policy 'set' API call.
commit 5a96cbbeaabd0a82b0fe881378e7c21c85091abf
Author: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Thu Dec 23 09:21:21 2021 -0800
Fix user privilege escalation bug (#13976)
The AddUser() API endpoint was accepting a policy field.
This API is used to update a user's secret key and account
status, and allows a regular user to update their own secret key.
The policy update is also applied though does not appear to
be used by any existing client-side functionality.
This fix changes the accepted request body type and removes
the ability to apply policy changes as that is possible via the
policy set API.
NOTE: Changing passwords can be disabled as a workaround
for this issue by adding an explicit "Deny" rule to disable the API
for users.
Users are advised to upgrade to RELEASE.2021-12-27T07-23-18Z
Workarounds
Changing passwords can be disabled as a workaround for this
issue by adding an explicit "Deny" rule to disable the API
for users.
References
- Introduced during a refactor done here #7949
- Fixed by changing to match the expected behavior #13976
For more information
If you have any questions or comments about this advisory:
Impact
AddUser() API endpoint was exposed to a legacy behavior.
i.e it accepts a "policy" field,
This API is mainly used to create a user or update a
user's password.
However, a malicious client can hand-craft an HTTP API call
that allows for updating Policy for a user and gaining
higher privileges.
We have not seen any reports of this issue from our customers
or community users. This was reproduced internally during a
regular security audit.
There are no known SDKs or client-side tools that expose this behavior.
Prior knowledge of Admin API calls is needed to come up with an exploit
and the user must have valid credentials to access the MinIO service.
Patches
Fix changes the accepted request body type and removes the
ability to apply policy changes (legacy) behavior through this API.
Any policy changes are only allowed with the Policy 'set' API call.
Users are advised to upgrade to RELEASE.2021-12-27T07-23-18Z
Workarounds
Changing passwords can be disabled as a workaround for this
issue by adding an explicit "Deny" rule to disable the API
for users.
References
For more information
If you have any questions or comments about this advisory: