Security Report for TrueNAS 13.0-U5 and 13.0-U5.1
This is a security scan report of a default install of TrueNAS 13.0-U5 and 13.0-U5.1. When enabled, TrueNAS system services must be properly configured to prevent introducing any additional threat vectors. Follow industry best practices and the TrueNAS Documentation. If assistance is required, contact the iXsystems Support Team. If a separate security audit finds issues that are not listed below, contact the iXsystems Support Team for assistance.
This security report has two sections, the first is the finding from pkg audit of the system and second is the results from nessus scans of the system
- Known Issues: 14
- False Flags: 0
- Critical Severity Alerts: 0
- High Severity Alerts: 0
- Medium Severity Alerts: 0
- Low Severity Alerts: 0
- Information Alerts: 26
CVE: CVE-2023-26112 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. TruenAS Information: Not exposed - Only exploitable by privileged local user who already has full access to the system. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122070
CVE: CVE-2022-39260
For more information see: https://nvd.nist.gov/vuln/detail/CVE-2022-39260
Git is an open source, scalable, distributed revision control system. git shell
is a restricted login shell that can be used to implement Git’s push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int
to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv()
, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell
as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell
access via remote logins is a viable short-term workaround.
TruenAS Information: Not exposed - Only exploitable by privileged local user who already has full access to the system, git shell not accessible via SSH. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122071
CVE: CVE-2022-39253
For more information see: https://nvd.nist.gov/vuln/detail/CVE-2022-39253
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source’s $GIT_DIR/objects
directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via --no-hardlinks
). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim’s machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the --recurse-submodules
option. Git does not create symbolic links in the $GIT_DIR/objects
directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the --local
optimization when on a shared machine, either by passing the --no-local
option to git clone
or cloning from a URL that uses the file://
scheme. Alternatively, avoid cloning repositories from untrusted sources with --recurse-submodules
or run git config --global protocol.file.allow user
.
TruenAS Information: Not exposed - Only exploitable by privileged local user who already has full access to the system, git shell not accessible via SSH. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122071
CVE: CVE-2023-29007
For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules
file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file()
. This bug can be used to inject arbitrary configuration into a user’s $GIT_DIR/config
when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager
, core.editor
, core.sshCommand
, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit
on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config
.
TruenAS Information: Not exposed - iXsystems has determined that this vulnerability is not applicable to TrueNAS due to the lack of exposure of this utility. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122072
CVE: CVE-2023-25652
For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject
, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply
with --reject
when applying patches from an untrusted source. Use git apply --stat
to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej
file exists.
TruenAS Information: Not exposed - iXsystems has determined that this vulnerability is not applicable to TrueNAS due to the lack of exposure of this utility. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122072
CVE: CVE-2022-24842
For more information see: https://nvd.nist.gov/vuln/detail/CVE-2022-24842
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in RELEASE.2022-04-12T06-55-35Z
. Users unable to upgrade may workaround this issue by explicitly adding a admin:CreateServiceAccount
deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.
TruenAS Information: Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122074
CVE: CVE-2023-29469 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-29469 An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the ‘\0’ value). TruenAS Information: Under Investigation: https://ixsystems.atlassian.net/browse/NAS-122075
CVE: CVE-2023-28484 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-29469 In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. TruenAS Information: Under Investigation: https://ixsystems.atlassian.net/browse/NAS-122075
CVE: CVE-2015-4645 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2015-4645 Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow. TruenAS Information: Not exposed - iXsystems has determined that this vulnerability is not applicable to TrueNAS due to the lack of exposure of this utility. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122076
CVE: CVE-2022-44638 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2022-44638 In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122077
CVE: CVE-2023-28117
For more info see: https://nvd.nist.gov/vuln/detail/CVE-2023-28117
Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have sendDefaultPII
set to True
; one must use a custom name for either SESSION_COOKIE_NAME
or CSRF_COOKIE_NAME
in one’s Django settings; and one must not be configured in one’s organization or project settings to use Sentry’s data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the sentry-sdk
will detect the custom cookie names based on one’s Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK’s filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the before_send
callback method and for performance related events (transactions) one can use the before_send_transaction
callback method. Those who want to handle filtering of these values on the server-side can also use Sentry’s advanced data scrubbing feature to account for the custom cookie names. Look for the $http.cookies
, $http.headers
, $request.cookies
, or $request.headers
fields to target with a scrubbing rule.
TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122079
CVE: CVE-2023-0286 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2023-0286 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122080
CVE: CVE-2023-23931
For more info see: https://nvd.nist.gov/vuln/detail/CVE-2023-23931
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into
would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes
) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into
was originally introduced in cryptography 1.8.
TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122080
CVE: CVE-2022-40897 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2022-40897 Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122081
The remaining alerts are items that can be flagged as a security vulnerability by automated security scans, but are not vulnerabilities. For example, one of the listed alerts flags that TrueNAS uses an nginx web server. TrueNAS uses a web server to provide a User Interface for system configuration. This is a normal part of TrueNAS operation. The TrueNAS nginx server is current and contains all the latest security patches. If you have more specific security concerns regarding any of these alerts, please contact the iXsystems Support Team.
Nessus ID 10107 - HTTP Server Type and Version Synopsis : A web server is running on the remote host.
The remote web server type is : nginx The remote web server type is : Python/3.9 aiohttp/3.7.4.post0 Ports 80, 443, 6000
Nessus ID 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis : It is possible to determine the exact time set on the remote host.
If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.
Nessus ID 10287 - Traceroute Information Synopsis : It was possible to obtain traceroute information.
Nessus ID 10386 - Web Server No 404 Error Code Check Synopsis : The remote web server does not return 404 error codes.
Ports 80, 443
All invalid URLS are redirected to the signin page.
Nessus ID 10863 - SSL Certificate Information Synopsis : This plugin displays the SSL certificate.
Nessus ID 11219 - Nessus SYN scanner Synopsis : It is possible to determine which TCP ports are open.
Ports 80, 443, 6000
Nessus ID 11936 - OS Identification Synopsis: It is possible to guess the remote operating system.
Response:
Remote operating system : FreeBSD 10.3 Confidence level : 56
Nessus ID 19506 - Nessus Scan Information Synopsis : This plugin displays information about the Nessus scan.
Information about this scan : Nessus version : 10.5.2 Plugin feed version : 202305221003
Nessus ID 21643 - SSL Cipher Suites Supported Synopsis : The remote service encrypts communications using SSL.
Nessus ID 22964 - Service Detection Synopsis : The remote service could be identified.
tcp/80 : A web server is running on this port. tcp/443 : A TLSv1.2 server answered on this port. tcp/443 : A web server is running on this port through TLSv1.2.
Nessus ID 24260 - HyperText Transfer Protocol (HTTP) Information Synopsis : Some information about the remote HTTP configuration can be extracted.
Ports 80, 443, 6000
Nessus ID 25220 - TCP/IP Timestamps Supported Synopsis : The remote service implements TCP timestamps.
Nessus ID 42822 - Strict Transport Security (STS) Detection Synopsis : The remote web server implements Strict Transport Security.
Ports: 80,443
Nessus ID 42823 - Non-compliant Strict Transport Security (STS) Synopsis: The remote web server implements Strict Transport Security incorrectly. Port 80
The Strict-Transport-Security header must not be sent over an unencrypted channel. Port 443 The response from the web server listening on port 80:
- does not contain a Status-Code of 301.
- does not contain a Location header field.
If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.
Nessus ID 45590 - Common Platform Enumeration (CPE) Synopsis: It was possible to enumerate CPE names that matched on the remote system.
Response:
The remote operating system matched the following CPE :
cpe:/o:freebsd:freebsd:10.3 -> FreeBSD Following application CPE’s matched on the remote system : cpe:/a:nginx:nginx -> Nginx cpe:/a:python:python:3.9 -> Python
Nessus ID 54615 - Device Type Synopsis: It is possible to guess the remote device type.
Response:
Remote device type : unknown Confidence level : 56
Nessus ID 56984 - SSL / TLS Versions Supported Synopsis : The remote service encrypts communications.
tcp/443/www : This port supports TLSv1.3/TLSv1.2.
Nessus ID 57041 - SSL Perfect Forward Secrecy Cipher Suites Supported Synopsis : The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.
Nessus ID 62564 - TLS Next Protocols Supported Synopsis : The remote service advertises one or more protocols as being supported over TLS.
Nessus ID 84821 - TLS ALPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS ALPN extension.
Nessus ID 87242 - TLS NPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS NPN extension.
Nessus ID 106375 - nginx HTTP Server Detection Synopsis : The nginx HTTP server was detected on the remote host.
Ports 80, 443
Nessus ID 122364 - Python Remote HTTP Detection Synopsis: Python is running on the remote host. Port 6000
Path : / Version : 3.9 Product : Python
Nessus ID 136318 - TLS Version 1.2 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.
Nessus ID 138330 - TLS Version 1.3 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.
Nessus ID 156899 - SSL/TLS Recommended Cipher Suites Synopsis : The remote host advertises discouraged SSL/TLS ciphers
The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:
High Strength Ciphers (>= 112-bit key)
Name Code KEX Auth Encryption MAC
---------------------- ---------- --- ---- --------------------- ---
DHE-RSA-AES-128-CCM-AEAD 0xC0, 0x9E DH RSA AES-CCM(128)
AEAD
DHE-RSA-AES-128-CCM8-AEAD 0xC0, 0xA2 DH RSA AES-CCM8(128)
AEAD
DHE-RSA-AES-256-CCM-AEAD 0xC0, 0x9F DH RSA AES-CCM(256)
AEAD
DHE-RSA-AES-256-CCM8-AEAD 0xC0, 0xA3 DH RSA AES-CCM8(256)
AEAD
DHE-RSA-CHACHA20-POLY1305 0xCC, 0xAA DH RSA ChaCha20-Poly1305(256)
SHA256
The fields above are :
{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}