Impact

All 'admin' users authorized for admin:ServerUpdate can selectively trigger an error that in
response, in turn, returns the content of the path requested for example

mc admin update alias/ /etc/passwd

The contents of /etc/passwd are returned back with an error response, so any normal
OS system would allow access to contents at any arbitrary paths that are readable by
MinIO process.

This issue was discovered by @Alevsk during an internal security audit. The affected
code has been removed from the repository.

Patches

commit bc72e4226e669d98c8e0f3eccc9297be9251c692
Author: Harshavardhana <harsha@minio.io>
Date:   Thu Jul 28 17:44:21 2022 -0700

    do not allow filesystem fallback in server download (#15429)
    
    It is possible for anyone with admin access to relatively
    to get any content of any random OS location by simply
    providing the file with 'mc admin update alias/ /etc/passwd`.
    
    Workaround is to disable 'admin:ServiceUpdate' action. Everyone
    is advised to upgrade to this patch.
    
    Thanks to @alevsk for finding this bug.

Workarounds

You can disable ServerUpdate API by denying the admin:ServerUpdate action for your admin users via IAM policies.

For example an explicit "Deny" for "admin:ServerUpdate" until you can upgrade the affected systems to the latest releases.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "admin:*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "admin:ServerUpdate"
      ]
    }
  ]
}

References

The referenced PR #15429 provides the relevant details

For more information

If you have any questions or comments about this advisory:

• Open an issue in issues
• Email us at security@min.io