Cyber Resilience

CVE-2024-24747

HighPublic PoC

Published: 31 January 2024

Published
31 January 2024
Modified
21 November 2024
KEV Added
Patch
31 January 2024
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2706 96.5th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24747 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Minio Minio. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MinIO, a high-performance object storage system, contains an improper privilege inheritance flaw tracked as CVE-2024-24747. When an access key is created, it receives the full permission set of its parent key, including both s3:* and admin:* actions. As a result, any child key can modify its own s3 permissions to become more permissive unless an explicit admin denial exists higher in the key hierarchy. The issue is assigned CWE-269 and carries a CVSS 3.1 score of 8.8.

An authenticated user holding permission to create access keys can therefore generate a new key that inherits administrative rights. With those rights the attacker can escalate privileges, override restrictive s3 policies, and obtain full read, write, or delete access to stored objects and administrative functions without further interaction from the parent account.

The vulnerability is resolved in MinIO release 2024-01-31T20-20-33Z. The corresponding patch and advisory are published in the project’s GitHub repository, and administrators are advised to upgrade immediately and review existing access-key hierarchies for unintended admin inheritance. The associated EPSS score has remained flat at 0.27 with no material increase after disclosure.

EU & UK References

Vulnerability details

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the…

more

`admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

minio
minio
2024-01-31t20-20-33z

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

addresses: CWE-269

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

References