CVE-2024-24747 – This CVE describes a privilege escalation vulne... (How to Fix)

Q: What is the severity of CVE-2024-24747?

CVE-2024-24747 has a CVSS score of 8.8 (HIGH). This CVE describes a privilege escalation vulnerability in MinIO where newly created access keys inherit admin permissions from parent keys, allowing users to escalate their own S3 permissions. All MinIO deployments using affected versions are vulnerable unless explicit deny policies for admin actions exist in the access key hierarchy. The vulnerability enables unauthorized administrative access.

📋 TL;DR

This CVE describes a privilege escalation vulnerability in MinIO where newly created access keys inherit admin permissions from parent keys, allowing users to escalate their own S3 permissions. All MinIO deployments using affected versions are vulnerable unless explicit deny policies for admin actions exist in the access key hierarchy. The vulnerability enables unauthorized administrative access.

💻 Affected Systems

Products:

MinIO

Versions: All versions before RELEASE.2024-01-31T20-20-33Z

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All MinIO deployments using affected versions are vulnerable unless explicit deny policies for admin actions exist in the access key hierarchy.

📦 What is this software?

Minio by Minio

View all CVEs affecting Minio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with any access key can gain full administrative control over the MinIO instance, allowing them to read, modify, or delete all stored objects, create new users, and potentially compromise the entire storage system.

🟠

Likely Case

Users with legitimate S3 access can escalate their permissions to administrative levels, bypassing intended access controls and potentially accessing sensitive data or disrupting operations.

🟢

If Mitigated

If explicit deny policies for admin actions exist in the access key hierarchy above the vulnerable key, the impact is limited to the specific permissions granted to that key.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an existing access key, but the attack is straightforward once an attacker has any valid access key.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RELEASE.2024-01-31T20-20-33Z

Vendor Advisory: https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4

Restart Required: Yes

Instructions:

1. Backup your MinIO configuration and data. 2. Stop the MinIO service. 3. Update to RELEASE.2024-01-31T20-20-33Z or later. 4. Restart the MinIO service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Add explicit deny policies for admin actions

all

Add explicit deny statements for admin:* actions in all access key policies to prevent inheritance of admin permissions.

Use MinIO's policy management tools to add "Effect": "Deny", "Action": "admin:*" to all access key policies

🧯 If You Can't Patch

Review and audit all access key policies to ensure admin actions are explicitly denied where not required
Implement strict monitoring for unusual admin activity and regularly rotate access keys

🔍 How to Verify

Check if Vulnerable:

Check if your MinIO version is earlier than RELEASE.2024-01-31T20-20-33Z

Check Version:

minio version

Verify Fix Applied:

Confirm your MinIO version is RELEASE.2024-01-31T20-20-33Z or later and test that new access keys no longer inherit admin permissions

📡 Detection & Monitoring

Log Indicators:

Unusual admin API calls from non-admin users
Access key creation events followed by admin actions
Policy modification events

Network Indicators:

Admin API requests from unexpected IP addresses or users
Unusual pattern of S3 operations escalating to admin operations

SIEM Query:

source="minio" AND (action="admin:*" OR policy_changes) AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2024-24747

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: January 31, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 Patch
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z Patch,Release Notes
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 Exploit,Patch,Vendor Advisory
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 Patch
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z Patch,Release Notes
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24747, you might also want to check these: