CVE-2024-55949: 
vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-55949) was discovered in MinIO, a high-performance S3 compatible object store. The vulnerability affects the IAM import API and allows privilege escalation, impacting all users since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f from June 23, 2022. The issue was patched in RELEASE.2024-12-13T22-19-12Z (GitHub Advisory, Security Online).

The vulnerability stems from missing permission checks in the IAM import API, which allows users to modify their own permission levels. The flaw has been assigned a CVSSv4 score of 9.3 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-269 (Improper Privilege Management) (GitHub Advisory).

The vulnerability allows any authenticated user to escalate their privileges to full administrative control by crafting a malicious iam-info.zip file and uploading it via the mc admin cluster iam import command. This effectively enables users to hijack the entire MinIO deployment (Security Online).

There are no workarounds available for this vulnerability. Users are strongly advised to upgrade immediately to RELEASE.2024-12-13T22-19-12Z which contains the fix. For systems behind a load balancer or firewall such as nginx, temporary mitigation can be achieved by blocking external access to /minio/admin/v2/import-iam and /minio/admin/v3/import-iam-v2 endpoints until the deployment can be upgraded (GitHub Advisory).

The vulnerability was reported by the National Security Agency, highlighting its significance in terms of security impact. The discovery prompted immediate attention from the security community, leading to a rapid response from the MinIO team in releasing a patch (GitHub Advisory).