MinIO SFTP Authentication Bypass Vulnerability via Improperly Trusted SSH Keys

A vulnerability in MinIO's SFTP authentication process allows for authentication bypass and unauthorized data access. This issue affects MinIO servers configured to use SFTP with LDAP as an external identity provider, specifically in versions from RELEASE.2024-06-06T09-36-42Z prior to RELEASE.2025-02-28T09-55-16Z. The vulnerability arises because the server incorrectly trusts SSH keys from users without an 'sshPublicKey' attribute in LDAP, enabling them to perform SFTP operations based on their MinIO access policies.

Impact

Exploitation of this vulnerability allows unauthorized users to bypass authentication and access data through SFTP, performing actions such as reading, writing, deleting, and listing objects, all based on the access policies assigned to their LDAP user or groups.

Reproduction

To reproduce this vulnerability, first ensure that the MinIO server is set up with SFTP access and using LDAP for authentication. Then, identify an LDAP user who does not have the 'sshPublicKey' attribute. This user must have an associated MinIO access policy, either directly or through a group. Once these conditions are met, attempt to authenticate via SFTP using an SSH key. The absence of the 'sshPublicKey' attribute will result in the server incorrectly trusting the key, allowing access to SFTP operations permitted by the user's MinIO policies.

Remediation

Users can update to MinIO version RELEASE.2025-02-28T09-55-16Z or later, where this vulnerability has been fixed.