CVE-2024-24747
Published: 31 January 2024
Summary
CVE-2024-24747 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Minio Minio. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
MinIO, a high-performance object storage system, contains an improper privilege inheritance flaw tracked as CVE-2024-24747. When an access key is created, it receives the full permission set of its parent key, including both s3:* and admin:* actions. As a result, any child key can modify its own s3 permissions to become more permissive unless an explicit admin denial exists higher in the key hierarchy. The issue is assigned CWE-269 and carries a CVSS 3.1 score of 8.8.
An authenticated user holding permission to create access keys can therefore generate a new key that inherits administrative rights. With those rights the attacker can escalate privileges, override restrictive s3 policies, and obtain full read, write, or delete access to stored objects and administrative functions without further interaction from the parent account.
The vulnerability is resolved in MinIO release 2024-01-31T20-20-33Z. The corresponding patch and advisory are published in the project’s GitHub repository, and administrators are advised to upgrade immediately and review existing access-key hierarchies for unintended admin inheritance. The associated EPSS score has remained flat at 0.27 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0775
Vulnerability details
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the…
more
`admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.