TrueNAS Security Advisories

The TrueNAS team monitors TrueNAS and TrueCommand products for potential security vulnerabilities. Identified vulnerabilities are analyzed for exposure in TrueNAS products. Each identified vulnerability assesses the exposure level to TrueNAS or TrueCommand and the vulnerability is assigned a security rating. Security rating definitions and general TrueNAS policies related to these ratings are described in the vulnerability definitions.

The TrueNAS team recommends that all systems installed with TrueNAS or TrueNAS-related products are configured consistent with the security best practices guide available from the TrueNAS Documentation Hub.

Reporting Previously Unknown Vulnerabilities (Click to expand)

To report previously unknown vulnerabilities, create a Jira account and open a new TrueNAS Security Disclosure. Include this information:

CVE number (when applicable)
Impacted product or software component
Software version
Vulnerability description and its location
Steps to reproduce the vulnerability
Proof-of-concept exploit code (when available)
Contact information for investigation follow-up and recognition

Tickets are confidential between the reporter and the TrueNAS Security Team.

The TrueNAS team acknowledges receipt of reported vulnerabilities and contacts the reporter to discuss the resolution plan, according to the vulnerability severity and impact. TrueNAS does not currently support a monetary bug bounty program. However, public acknowledgement of researchers adhering to this policy is available. The TrueNAS team supports the creation of new CVE entries for our products for unique and un-remediated vulnerabilities.

Alternatively, details can be sent to the following email address: psirt@ixsystems.com.

TrueNAS SecTeam PGP key

TrueNAS Response to Pwn2own Ireland Competition (Click to expand)

Open Source, Open Minds - Addressing the Pwn2Own 2024 Ireland Results

Hello TrueNAS community, tech enthusiasts, and security professionals.

We wanted to take a moment to address the recent results from the Pwn2Own Ireland 2024 contest, where the TrueNAS Mini X was among the list of targeted NAS systems.

First and foremost, we want to express our gratitude to the individuals and teams who engaged with our system. Efforts of security experts, ethical hackers, and other penetration testers are essential in the open source ecosystem, helping identify weaknesses and areas for improvement. This kind of collaboration helps enhance products for everyone.

The TrueNAS Engineering team was actively monitoring the results at Pwn2Own as the events unfolded live, and reached out as soon as we saw a report of a successful attack on the TrueNAS Mini X. In keeping with the principles of responsible disclosure, the Zero Day Initiative (sponsors of the Pwn2Own competition) provides details on the vulnerability to impacted vendors prior to allowing publication. The proactive approach demonstrated here allows us to quickly address potential issues.

Being open source means being open to all forms of feedback from the community, from feature request to 0-day disclosure, so we greatly appreciate the detailed results being provided.

How Can I Protect Myself?

These newly disclosed vulnerabilities were exposed by veteran security researchers against a default, non-hardened TrueNAS installation. By following the best practices outlined in the TrueNAS Security Recommendations guide (https://www.truenas.com/docs/solutions/optimizations/security/) you can significantly reduce your chances of being exposed to vulnerabilities.

Keep TrueNAS up-to-date with the most recent updates for your supported version
Upgrade to new major releases promptly consistent with your deployment use case
Disable any network services that are not in use
Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users
Configure Syslog settings to send logs to an external server
In TrueNAS 24.04 (Dragonfish) or later, locally monitor and review audit logs using the Audit screen
In the System > Advanced Settings, keep the Show Text Console without Password Prompt setting on Disabled

As with any other computer on your network, it’s recommended to place your TrueNAS system behind a firewall, IDS/IPS, or other gateway device to reduce your attack surface. Using a secure (and frequently updated!) firewall or IDS/IPS device, as well as restricting access to the management or available IPMI interfaces, will help significantly reduce the attack surface.

Enable two-factor authentication (2FA) where possible, and require a password even for physical console access - although if someone has physical access to your TrueNAS system, remember that they could pull the power cable out to affect a very low-tech Denial of Service attack.

What’s Next?

The TrueNAS engineering team is currently focused on reviewing the vulnerabilities identified at Pwn2Own, and triaging them between system configuration and software issues. We’ll be rolling out updates and improved documentation as necessary, ensuring our system is more secure and resilient. Keep an eye out for updates on the TrueNAS Software Status page, and ensure your system is configured to automatically check for updates.

Published Advisories

Click a product card at the bottom of the page to see the latest published advisories, TrueNAS team responses, archived advisories, and any special security notices that are relevant to that product.

Search for a specific CVE or other vulnerability identifier: