TrueNAS Security Advisories

For secure communications with the TrueNAS Security Team, you can use our PGP public key to encrypt sensitive security reports and vulnerability disclosures.

Download: TrueNAS SecTeam PGP Public Key

Download: Bill_O’Hanlon PGP Public Key

Key Fingerprint: Contact psirt@ixsystems.com for key verification

This key should be used when sending sensitive security information that requires encryption. For general security inquiries, you may use the standard contact methods listed above.

To report previously unknown vulnerabilities, create a Jira account and open a new TrueNAS Security Disclosure. Include this information:

• CVE number (when applicable)
• Impacted product or software component
• Software version
• Vulnerability description and its location
• Steps to reproduce the vulnerability
• Proof-of-concept exploit code (when available)
• Contact information for investigation follow-up and recognition

Tickets are confidential between the reporter and the TrueNAS Security Team.

The TrueNAS team acknowledges receipt of reported vulnerabilities and contacts the reporter to discuss the resolution plan, according to the vulnerability severity and impact. TrueNAS does not currently support a monetary bug bounty program. However, public acknowledgement of researchers adhering to this policy is available. The TrueNAS team supports the creation of new CVE entries for our products for unique and un-remediated vulnerabilities.

Alternatively, details can be sent to the following email address: psirt@ixsystems.com.

TrueNAS SecTeam PGP key

Hello TrueNAS community, tech enthusiasts, and security professionals.

We wanted to take a moment to address the recent results from the Pwn2Own Ireland 2024 contest, where the TrueNAS Mini X was among the list of targeted NAS systems.

First and foremost, we want to express our gratitude to the individuals and teams who engaged with our system. Efforts of security experts, ethical hackers, and other penetration testers are essential in the open source ecosystem, helping identify weaknesses and areas for improvement. This kind of collaboration helps enhance products for everyone.

The TrueNAS Engineering team was actively monitoring the results at Pwn2Own as the events unfolded live, and reached out as soon as we saw a report of a successful attack on the TrueNAS Mini X. In keeping with the principles of responsible disclosure, the Zero Day Initiative (sponsors of the Pwn2Own competition) provides details on the vulnerability to impacted vendors prior to allowing publication. The proactive approach demonstrated here allows us to quickly address potential issues.

Being open source means being open to all forms of feedback from the community, from feature request to 0-day disclosure, so we greatly appreciate the detailed results being provided.

These newly disclosed vulnerabilities were exposed by veteran security researchers against a default, non-hardened TrueNAS installation. By following the best practices outlined in the TrueNAS Security Recommendations guide (https://www.truenas.com/docs/solutions/optimizations/security/) you can significantly reduce your chances of being exposed to vulnerabilities.

• Keep TrueNAS up-to-date with the most recent updates for your supported version
• Upgrade to new major releases promptly consistent with your deployment use case
• Disable any network services that are not in use
• Restrict the TrueNAS web UI, IPMI, and any other management interfaces to private subnets away from untrusted users
• Configure Syslog settings to send logs to an external server
• In TrueNAS 24.04 (Dragonfish) or later, locally monitor and review audit logs using the Audit screen
• In the System > Advanced Settings, keep the Show Text Console without Password Prompt setting on Disabled

As with any other computer on your network, it is recommended to place your TrueNAS system behind a firewall, IDS/IPS, or other gateway device to reduce your attack surface. Using a secure (and frequently updated) firewall or IDS/IPS device, as well as restricting access to the management or available IPMI interfaces, will help significantly reduce the attack surface.

Enable two-factor authentication (2FA) where possible, and require a password even for physical console access.

The TrueNAS engineering team is currently focused on reviewing the vulnerabilities identified at Pwn2Own, and triaging them between system configuration and software issues. We will be rolling out updates and improved documentation as necessary, ensuring our system is more secure and resilient. Keep an eye out for updates on the TrueNAS Software Status page, and ensure your system is configured to automatically check for updates.