MinIO flaws leveraged in server takeover attacks

BleepingComputer reports that attacks leveraging two vulnerabilities in the open-source object storage service MinIO, which could facilitate object storage service compromise, arbitrary code execution, and server takeovers, are underway. Attacks commence with the installation of a malicious MinIO app dubbed "Evil MinIO," which chains the CVE-2023-28432 and CVE-2023-28434 flaws, to enable the replacement of the legitimate software with altered code laced with the backdoor, according to Security Joes analysts. Installation of the fraudulent app will then be followed by the exploitation of CVE-2023-28432 to allow remote server environment variable access, which would then enable MinIO admin console access that will be leveraged to deliver a malicious update. Meanwhile, the other flaw is then exploited to enable the usage of a tampered .go source code file. "This endpoint functions as a built-in backdoor, granting unauthorized individuals the ability to execute commands on the host running the application. Notably, the executed commands inherit the system permissions of the user who initiated the application. In this instance, due to inadequate security practices, the DevOps engineer launching the application held root-level permissions," researchers added.