Security Report for TrueNAS 12.0-U5.1

This is a security scan report of a default install of TrueNAS 12.0-U5.1. When enabled, TrueNAS system services must be properly configured to prevent introducing any additional threat vectors. Follow industry best practices and the TrueNAS Documentation. If assistance is required, contact the iXsystems Support Team. If a separate security audit finds issues that are not listed below, contact the iXsystems Support Team for assistance.

  • Known Issues: 8
  • Critical Severity Alerts: 0
  • High Severity Alerts: 0
  • Medium Severity Alerts: 2
  • Low Severity Alerts: 0
  • Information Alerts: 28


Known Issues

freetype2-2.10.1

freetype2 – heap buffer overlfow CVE: CVE-2020-15999 For more info see: https://vuxml.FreeBSD.org/freebsd/458df97f-1440-11eb-aaec-e0d55e2a8bf9.html

Note: TrueNAS does not allow a user to upload PNGs to trigger this attack.

libxml2-2.9.10_3 is vulnerable:

libxml2 – Possible denial of service CVE: CVE-2021-3541 For more info see: https://vuxml.FreeBSD.org/freebsd/524bd03a-bb75-11eb-bf35-080027f515ea.html

Note: TrueNAS does not allow a user to inject XML to trigger this attack.

expat-2.2.8 is vulnerable:

texproc/expat2 – billion laugh attack CVE: CVE-2013-0340 For more info see: https://vuxml.FreeBSD.org/freebsd/5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9.html

Note: This CVE is caused by expat’s reliance on the libxml vulnerability listed above.

curl-7.76.1 is vulnerable:

cURL – Multiple vulnerabilities CVE: CVE-2021-22926 CVE: CVE-2021-22925 CVE: CVE-2021-22924 CVE: CVE-2021-22923 CVE: CVE-2021-22922 For more info see: https://vuxml.FreeBSD.org/freebsd/aa646c01-ea0d-11eb-9b84-d4c9ef517024.html

squashfs-tools-4.3_1 is vulnerable:

squashfs-tools – Integer overflow CVE: CVE-2015-4645 For more info see: https://vuxml.FreeBSD.org/freebsd/317487c6-85ca-11eb-80fa-14dae938ec40.html

py39-yaml-5.3.1 is vulnerable:

PyYAML – arbitrary code execution CVE: CVE-2020-14343 For more info see: https://vuxml.FreeBSD.org/freebsd/c7ec6375-c3cf-11eb-904f-14dae9d5a9d2.html

nginx-1.16.1_12,2 is vulnerable:

NGINX – 1-byte memory overwrite in resolver CVE: CVE-2021-23017 For more info see: https://vuxml.FreeBSD.org/freebsd/0882f019-bd60-11eb-9bdd-8c164567ca3c.html

apache24-2.4.46 is vulnerable:

Apache httpd – Multiple vulnerabilities CVE: CVE-2021-31618 CVE: CVE-2021-30641 CVE: CVE-2021-26691 CVE: CVE-2021-26690 CVE: CVE-2020-35452 CVE: CVE-2020-13950 CVE: CVE-2020-13938 CVE: CVE-2019-17567 For more info see: https://vuxml.FreeBSD.org/freebsd/cce76eca-ca16-11eb-9b84-d4c9ef517024.html

False Flag

rsync-3.1.3_2 is vulnerable:

net/rsync – multiple zlib issues CVE: CVE-2016-9840 CVE: CVE-2016-9841 CVE: CVE-2016-9842 CVE: CVE-2016-9843 WWW: https://vuxml.FreeBSD.org/freebsd/085399ab-dfd7-11ea-96e4-80ee73bc7b66.html

Note: These CVEs against rsync are due to its dependence on a vulnerable version of zlib. However, TrueNAS is built against the version of zlib in base and not the version the rysnc port depends on. As such, the zlib vulnerability does not exist or affect any installs of TrueNAS 12.0-U4, even though pkg audit flags the version. This can be confirmed on a Truenas 12.0-U4 box by running pkg info rsync.

Security Scan Results

Medium Severity Alerts: 2

Nessus Alert ID 51192 - SSL Certificate Cannot Be Trusted Synopsis: The SSL certificate for this service cannot be trusted.

Nessus Alert ID 57582 - SSL Self-Signed Certificate Synopsis: The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Solution: Install a proper SSL Certification to resolve these issues. Refer to the TrueNAS User Guide.


Information Alerts: 28

The remaining alerts are items that can be flagged as a security vulnerability by automated security scans, but are not vulnerabilities. For example, one of the listed alerts flags that TrueNAS uses an nginx web server. TrueNAS uses a web server to provide a User Interface for system configuration. This is a normal part of TrueNAS operation. The TrueNAS nginx server is current and contains all the latest security patches. If you have more specific security concerns regarding any of these alerts, please contact the iXsystems Support Team.


Nessus ID 45590 - Common Platform Enumeration (CPE) Synopsis: It was possible to enumerate CPE names that matched on the remote system.

Response:

The remote operating system matched the following CPE : cpe:/o:microsoft:windows_vista


Nessus ID 54615 - Device Type Synopsis: It is possible to guess the remote device type.

Response:

Remote device type : general-purpose Confidence level : 65


Nessus ID 35716 - Ethernet Card Manufacturer Detection Synopsis: The manufacturer can be identified from the Ethernet OUI.


Nessus ID 86420 - Ethernet MAC Addresses Synopsis : This plugin gathers MAC addresses from various sources and consolidates them into a list.


Nessus ID 10107 - HTTP Server Type and Version Synopsis : A web server is running on the remote host.

The remote web server type is : nginx The remote web server type is : Python/3.8 aiohttp/3.6.2


Nessus ID 24260 - HyperText Transfer Protocol (HTTP) Information Synopsis : Some information about the remote HTTP configuration can be extracted.

Ports 80, 443, 6000


Nessus ID 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis : It is possible to determine the exact time set on the remote host.

The remote clock is synchronized with the local clock.

If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.


Nessus ID 11219 - Nessus SYN scanner Synopsis : It is possible to determine which TCP ports are open.

Ports 80, 443, 6000


Nessus ID 19506 - Nessus Scan Information Synopsis : This plugin displays information about the Nessus scan.

Information about this scan : Nessus version : 8.14.0 Plugin feed version : 202105241315


Nessus ID 42823 - Non-compliant Strict Transport Security (STS) Synopsis: The remote web server implements Strict Transport Security incorrectly. Port 80

The Strict-Transport-Security header must not be sent over an unencrypted channel. Port 443 The response from the web server listening on port 80:

  • does not contain a Status-Code of 301.
  • does not contain a Location header field.

If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.


Nessus ID 11936 - OS Identification Synopsis: It is possible to guess the remote operating system.

Response:

Remote operating system : Microsoft Windows Vista Confidence level : 65


Nessus ID 122364 - Python Remote HTTP Detection Synopsis: Python is running on the remote host. Port 6000

Path : / Version : 3.9 Product : Python


Nessus ID 56984 - SSL / TLS Versions Supported Synopsis : The remote service encrypts communications.

tcp/443/www : This port supports TLSv1.3/TLSv1.2.


Nessus ID 10863 - SSL Certificate Information Synopsis : This plugin displays the SSL certificate.


Nessus ID 21643 - SSL Cipher Suites Supported Synopsis : The remote service encrypts communications using SSL.


Nessus ID 57041 - SSL Perfect Forward Secrecy Cipher Suites Supported Synopsis : The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.


Nessus ID 22964 - Service Detection Synopsis : The remote service could be identified.

tcp/80 : A web server is running on this port. tcp/443 : A TLSv1.2 server answered on this port. tcp/443 : A web server is running on this port through TLSv1.2.


Nessus ID 42822 - Strict Transport Security (STS) Detection Synopsis : The remote web server implements Strict Transport Security.

Ports: 80,443


Nessus ID 25220 - TCP/IP Timestamps Supported Synopsis : The remote service implements TCP timestamps.


Nessus ID 84821 - TLS ALPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS ALPN extension.


Nessus ID 87242 - TLS NPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS NPN extension.


Nessus ID 62564 - TLS Next Protocols Supported Synopsis : The remote service advertises one or more protocols as being supported over TLS.


Nessus ID 136318 - TLS Version 1.2 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.

Nessus ID 138330 - TLS Version 1.3 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.

Solution: The ability to control these globally is included in TrueNAS 12.0. If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.


Nessus ID 10287 - Traceroute Information Synopsis : It was possible to obtain traceroute information.


Nessus ID 10386 - Web Server No 404 Error Code Check Synopsis : The remote web server does not return 404 error codes.

Ports 80, 443

All invalid URLS are redirected to the signin page.


Nessus ID 66717 - mDNS Detection (Local Network) Synopsis : It is possible to obtain information about the remote host.

Solution: mDNS can be disabled in TrueNAS on a per-service basis. The ability to control these globally is included in TrueNAS 12.0. If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.


Nessus ID 106375 - nginx HTTP Server Detection Synopsis : The nginx HTTP server was detected on the remote host.

Ports 80, 443


Back to CORE Archive