CVE-2021-21390 : What You Need to Know
Discover the impact of CVE-2021-21390 affecting MinIO storage service. Learn about the vulnerability enabling MITM attacks and the mitigation steps to secure your systems.
MinIO, an open-source high-performance object storage service compatible with Amazon S3, was found to have a vulnerability that allowed for MITM modification of request bodies. This CVE affects versions before RELEASE.2021-03-17T02-33-02Z and has a CVSS v3.1 base score of 6.5 (Medium).
Understanding CVE-2021-21390
MinIO versions prior to RELEASE.2021-03-17T02-33-02Z are susceptible to a MITM attack that enables modification of request bodies meant to have integrity guaranteed by chunk signatures.
What is CVE-2021-21390?
In MinIO versions before RELEASE.2021-03-17T02-33-02Z, a vulnerability allows for MITM modification of request bodies that should have integrity guaranteed by chunk signatures. By sending a false chunk size in a PUT request using aws-chunked encoding, the server can be tricked into skipping signature verification.
The Impact of CVE-2021-21390
The impact of this vulnerability is rated as Medium severity with a CVSS v3.1 base score of 6.5. It has a high integrity impact, requiring user interaction but no privileges to exploit, affecting the network's attack vector.
Technical Details of CVE-2021-21390
The vulnerability in MinIO allows for MITM modification of request bodies, potentially compromising data integrity and security.
Vulnerability Description
The flaw enables attackers to manipulate request bodies by falsifying chunk sizes, leading to bypassing chunk signature verification in MinIO.
Affected Systems and Versions
Versions of MinIO before RELEASE.2021-03-17T02-33-02Z are affected by this MITM vulnerability.
Exploitation Mechanism
Attackers can exploit this vulnerability by sending PUT requests with manipulated chunk sizes using aws-chunked encoding, thus bypassing chunk signature validation in MinIO.
Mitigation and Prevention
To address CVE-2021-21390 and protect MinIO deployments, certain steps and practices can be followed.
Immediate Steps to Take
Users are advised to update MinIO to version RELEASE.2021-03-17T02-33-02Z or newer to mitigate the vulnerability. Alternatively, using TLS and avoiding aws-chunked encoding in requests can also help prevent exploitation.
Long-Term Security Practices
Regularly updating MinIO to the latest versions and implementing secure communication protocols like TLS can enhance the overall security posture.
Patching and Updates
Ensure timely application of security patches provided by MinIO to address vulnerabilities like CVE-2021-21390.