TrueNAS Security Advisories

iXsystems monitors TrueNAS and TrueCommand products for potential security vulnerabilities. Identified vulnerabilities are analyzed for exposure in iXsystems’ products. Each identified vulnerability assesses the exposure level to TrueNAS or TrueCommand and the vulnerability is assigned an iXsystems security rating. Security rating definitions and general iXsystems policies related to these ratings are described in iXsystems vulnerability definitions.

iXsystems recommends that all systems installed with TrueNAS or TrueNAS-related products are configured consistent with the security best practices guide available from the TrueNAS Documentation Hub.

To report previously unknown vulnerabilities, create an iXsystems Jira account and open a new iX Security Disclosure. Include this information:

  • CVE number (when applicable)
  • Impacted product or software component
  • Software version
  • Vulnerability description and its location
  • Steps to reproduce the vulnerability
  • Proof-of-concept exploit code (when available)
  • Contact information for investigation follow-up and recognition

Tickets are confidential between the reporter and the iXsystems Security Team.

iXsystems acknowledges receipt of reported vulnerabilities and contacts the reporter to discuss the resolution plan, according to the vulnerability severity and impact. iXsystems does not currently support a monetary bug bounty program. However, public acknowledgement of researchers adhering to this policy is available. iXsystems supports the creation of new CVE entries for our products for unique and un-remediated vulnerabilities.

Alternatively, details can be sent to the following email address: psirt@ixsystems.com.

IX SecTeam PGP key

Open Source, Open Minds - Addressing the Pwn2Own 2024 Ireland Results

Hello TrueNAS community, tech enthusiasts, and security professionals.

We wanted to take a moment to address the recent results from the Pwn2Own Ireland 2024 contest, where the TrueNAS Mini X was among the list of targeted NAS systems.

First and foremost, we want to express our gratitude to the individuals and teams who engaged with our system. Efforts of security experts, ethical hackers, and other penetration testers are essential in the open source ecosystem, helping identify weaknesses and areas for improvement. This kind of collaboration helps enhance products for everyone.

The TrueNAS Engineering team was actively monitoring the results at Pwn2Own as the events unfolded live, and reached out as soon as we saw a report of a successful attack on the TrueNAS Mini X. In keeping with the principles of responsible disclosure, the Zero Day Initiative (sponsors of the Pwn2Own competition) provides details on the vulnerability to impacted vendors prior to allowing publication. The proactive approach demonstrated here allows us to quickly address potential issues.

Being open source means being open to all forms of feedback from the community, from feature request to 0-day disclosure, so we greatly appreciate the detailed results being provided.

How Can I Protect Myself?

These newly disclosed vulnerabilities were exposed by veteran security researchers against a default, non-hardened TrueNAS installation. By following the best practices outlined in the TrueNAS Security Recommendations guide (https://www.truenas.com/docs/solutions/optimizations/security/) you can significantly reduce your chances of being exposed to vulnerabilities.

  • Keep TrueNAS up-to-date with the most recent updates for your supported version
  • Upgrade to new major releases promptly consistent with your deployment use case
  • Disable any network services that are not in use
  • Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users
  • Configure Syslog settings to send logs to an external server
  • In TrueNAS 24.04 (Dragonfish) or later, locally monitor and review audit logs using the Audit screen
  • In the System > Advanced Settings, keep the Show Text Console without Password Prompt setting on Disabled

As with any other computer on your network, it’s recommended to place your TrueNAS system behind a firewall, IDS/IPS, or other gateway device to reduce your attack surface. Using a secure (and frequently updated!) firewall or IDS/IPS device, as well as restricting access to the management or available IPMI interfaces, will help significantly reduce the attack surface.

Enable two-factor authentication (2FA) where possible, and require a password even for physical console access - although if someone has physical access to your TrueNAS system, remember that they could pull the power cable out to affect a very low-tech Denial of Service attack.

What’s Next?

The TrueNAS engineering team is currently focused on reviewing the vulnerabilities identified at Pwn2Own, and triaging them between system configuration and software issues. We’ll be rolling out updates and improved documentation as necessary, ensuring our system is more secure and resilient. Keep an eye out for updates on the TrueNAS Software Status page, and ensure your system is configured to automatically check for updates.

Published Advisories

Click a product card at the bottom of the page to see the latest published advisories, iXsystems’ responses, archived advisories, and any special security notices that are relevant to that product.