CVE-2021-21390

MITM modification of request bodies in MinIO

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.

MinIO es un servicio de almacenamiento de objetos de alto rendimiento de código abierto y su API es compatible con el servicio de almacenamiento en la nube Amazon S3. En MinIO versiones anteriores a RELEASE.2021-03-17T02-33-02Z, se presenta una vulnerabilidad que permite la modificación por parte de un MITM de los cuerpos de las peticiones que se supone que presentan la integridad garantizada por las firmas de los fragmentos. En una petición PUT que usa la codificación aws-chunked, MinIO normalmente comprueba las firmas al final de un fragmento. Esta comprobación puede saltarse si el cliente envía un tamaño de fragmento falso que es mucho mayor que los datos reales enviados: el servidor acepta y completa la petición sin llegar nunca al final del fragmento + por tanto sin comprobar nunca la firma del fragmento. Esto se ha corregido en la versión RELEASE.2021-03-17T02-33-02Z. Como solución, se puede evitar el uso de peticiones de carga de firmas de fragmentos basadas en la codificación "aws-chunked" y, en su lugar, usar TLS. Los SDKs de MinIO deshabilitan automáticamente la firma de codificación en trozos cuando el endpoint del servidor está configurado con TLS

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-03-19 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0	2024-08-03
https://github.com/minio/minio/pull/11801	2024-08-03
https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Minio Search vendor "Minio"		Minio Search vendor "Minio" for product "Minio"				< 2021-03-17t02-33-02z Search vendor "Minio" for product "Minio" and version " < 2021-03-17t02-33-02z"		-		Affected