Detections
Analytics

FreeBSD : minio -- MITM attack (b073677f-253a-41f9-bf2b-2d16072a25f6)

high Nessus Plugin ID 147872

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

minio developer report :

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.

Solution

Update the affected package.

See Also

https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp

http://www.nessus.org/u?31c92bb6

Plugin Details

Severity: High

ID: 147872

File Name: freebsd_pkg_b073677f253a41f9bf2b2d16072a25f6.nasl

Version: 1.1

Type: local

Published: 3/18/2021

Updated: 3/18/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:minio

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/17/2021

Vulnerability Publication Date: 3/17/2021