MinIO Chunked Encoding Signature Verification Vulnerability Allowing MITM Modification

A vulnerability exists in MinIO, an open-source object storage service compatible with Amazon S3, prior to version RELEASE.2021-03-17T02-33-02Z. The issue allows for man-in-the-middle (MITM) attacks by modifying request bodies that should have integrity protected by chunk signatures. In PUT requests using aws-chunked encoding, MinIO typically verifies signatures at the end of each chunk. However, this verification can be bypassed if the client sends a misleading chunk size that is significantly larger than the actual data. As a result, the server completes the request without checking the chunk signature, creating a potential security risk.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of request bodies, allowing attackers to manipulate data integrity during transmission.

Remediation

Users are advised to upgrade to MinIO version RELEASE.2021-03-17T02-33-02Z. As a workaround, avoid using 'aws-chunked' encoding for uploads that require chunk signatures, and instead use TLS, which MinIO SDKs automatically configure to disable chunked encoding signatures when the server endpoint is secured with TLS.