Full Report
During an interview, the author of the post once got the question: "What is the most common security vulnerability?" To Lenin's surprise, it was system misconfiguration. With people flocking from Twitter to Mastodon, the author of the post decided to take a look at the security of the infosec Mastodon. While on it, they were curious how the user content was stored. The content appeared to be an AWS S3 XML response. On top of this, it was from minio (Multi-Cloud Object Storage). The hacker made some observations: User content is uploaded to minio buckets. If this is coming directly from a browser request then there must be anonymous read access on the resources. Using the minio client, which is similar to S3, they were able to list the contents of the Mastodon S3 bucket. Additionally, there were other folders in this bucket that were NOT meant to be public. If we can read, can we write? The author attempted to upload something and it worked! They made a tiny modification to the Infosec Mastodon logo just to prove a point. What's the security issue? The S3 bucket policy allows for s3:*. They noticed this problem on other Mastodon servers as well. Overall, a great commentary on the most common security vulnerability of them all - misconfigurations.
Analysis Summary
# Vulnerability: Improper Access Control in Mastodon S3/MinIO Storage
## CVE Details
- **CVE ID**: N/A (System Misconfiguration)
- **CVSS Score**: Estimated 9.8 (Critical) - Based on unauthorized write/delete access to public-facing infrastructure.
- **CWE**: CWE-284: Improper Access Control / CWE-16: Configuration
## Affected Systems
- **Products**: Mastodon instances utilizing S3-compatible object storage (specifically MinIO in this case).
- **Versions**: Platform-agnostic; affects any version where media storage is handled by externally misconfigured S3/MinIO buckets.
- **Configurations**: Instances where the S3 bucket policy is set to allow anonymous/public `s3:*` actions rather than restricted `s3:GetObject`.
## Vulnerability Description
The vulnerability stems from a critical system misconfiguration of the Object Storage (MinIO) backend. Mastodon instances often offload media (images, avatars, attachments) to S3-compatible storage. While anonymous **read** access is necessary for browsers to display images, the affected servers were configured with a wildcard policy (`s3:*`) for anonymous users. This inadvertently granted unauthenticated attackers the ability to list all bucket contents (directory listing), upload new files, overwrite existing files, and delete data.
## Exploitation
- **Status**: PoC available / Confirmed exploited for research purposes.
- **Complexity**: Low (Requires only standard S3 client tools like `mc`).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: **High**. Attackers can list and download all files, including those shared via private Direct Messages or other non-public folders.
- **Integrity**: **High**. Attackers can modify or replace any site content, including profile pictures, headers, and site logos (Defacement).
- **Availability**: **High**. Attackers possess the permissions to delete all uploaded media across the entire instance.
## Remediation
### Patches
- This is not a software bug in Mastodon or MinIO code; therefore, no software patch is applicable. Remediation requires manual configuration changes by instance administrators.
### Workarounds
- **Policy Hardening**: Modify the S3/MinIO bucket policy to ensure that anonymous access is restricted strictly to `s3:GetObject` for public media paths only.
- **Disable Directory Listing**: Ensure that `s3:ListBucket` is not granted to anonymous users to prevent attackers from discovering private file paths.
- **Remove Wildcards**: Never use `*` in principal or action fields for public policies.
## Detection
- **Indicators of Compromise**: Unauthorized changes to site assets (e.g., logo changes), unexpected deletion of media, or large-scale data egress logs from the storage backend.
- **Detection Methods**: Use the MinIO Client (`mc`) or AWS CLI to attempt unauthenticated writes or listings:
`mc alias set test hxxps[://]media.example.com "" ""`
`mc ls test/bucketname`
`mc cp test_file test/bucketname/path/to/logo.png`
## References
- MinIO Documentation: [hxxps[://]min.io/docs/minio/linux/reference/minio-mc.html]
- Mastodon Security: [hxxps[://]infosec[.]exchange]
- Original Post: [hxxps[://]www[.]alevsk[.]com/2022/11/system-misconfiguration-is-the-number-one-vulnerability-at-least-for-mastodon/]