TrueNAS CORE
TrueNAS Enterprise
TrueNAS SCALE
Compare Editions
TrueCommand
Software Status
FreeNAS
Compare Systems
F-Series
M-Series
X-Series
R-Series
Mini Series
Download TrueNAS CORE
Download TrueNAS SCALE
Get TrueNAS Enterprise
Where to BuySecurity Report for TrueNAS SCALE 22.12.0
This is a security scan report of a default install of TrueNAS SCALE 22.12.0. When enabled, TrueNAS system services must be properly configured to prevent introducing any additional threat vectors. Follow industry best practices and the TrueNAS Documentation. If assistance is required, contact the iXsystems Support Team. If you are concered about results from a separate security audit that finds issues that are not listed below, contact the iXsystems Support Team for assistance.
- Known Issues: 807 (See bottom of report)
- False Flags: 0
- Critical Severity Alerts: 0
- High Severity Alerts: 0
- Medium Severity Alerts: 2
- Low Severity Alerts: 0
- Information Alerts: 29
Nessus Alert ID 51192 - SSL Certificate Cannot Be Trusted Synopsis: The SSL certificate for this service cannot be trusted.
Nessus Alert ID 57582 - SSL Self-Signed Certificate Synopsis: The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Solution: Install a proper SSL Certification to resolve these issues. Refer to the TrueNAS SCALE User Guide.
The remaining alerts are items that can be flagged as a security vulnerability by automated security scans, but are not vulnerabilities. For example, one of the listed alerts flags that TrueNAS uses an nginx web server. TrueNAS uses a web server to provide a User Interface for system configuration. This is a normal part of TrueNAS operation. The TrueNAS nginx server is current and contains all the latest security patches. If you have more specific security concerns regarding any of these alerts, please contact the iXsystems Support Team.
Nessus ID 45590 - Common Platform Enumeration (CPE) Synopsis: It was possible to enumerate CPE names that matched on the remote system.
Response:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_vista
Nessus ID 10107 - HTTP Server Type and Version Synopsis : A web server is running on the remote host.
The remote web server type is : nginx The remote web server type is : Python/3.8 aiohttp/3.6.2 Ports 80, 443, 600
Nessus ID 24260 - HyperText Transfer Protocol (HTTP) Information Synopsis : Some information about the remote HTTP configuration can be extracted.
Ports 80, 443, 6000
Nessus ID 11219 - Nessus SYN scanner Synopsis : It is possible to determine which TCP ports are open.
Ports 80, 111, 443, 6000
Nessus ID 19506 - Nessus Scan Information Synopsis : This plugin displays information about the Nessus scan.
Information about this scan : Nessus version : 8.14.0 Plugin feed version : 202105241315
Nessus ID 42823 - Non-compliant Strict Transport Security (STS) Synopsis: The remote web server implements Strict Transport Security incorrectly. Port 80
The Strict-Transport-Security header must not be sent over an unencrypted channel. Port 443 The response from the web server listening on port 80:
- does not contain a Status-Code of 301.
- does not contain a Location header field.
If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.
Nessus ID 122364 - Python Remote HTTP Detection Synopsis: Python is running on the remote host. Port 6000
Path : / Version : 3.9 Product : Python
Nessus ID 11111 - RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host.. Port 111
The following RPC services are available on TCP port 111 :
- program: 100000 (portmapper), version: 4
- program: 100000 (portmapper), version: 3
- program: 100000 (portmapper), version: 2
Nessus ID 53335 - RPC portmapper (TCP) Synopsis: An ONC RPC service is running on the remote host.. Port 111
tcp/111/rpc-portmapper
Nessus ID 10223 - RPC portmapper Service Detection Synopsis: An ONC RPC service is running on the remote host.. Port 111
udp/111/rpc-portmapper
Nessus ID 70657 - SSH Algorithms and Languages Supported Synopsis : An SSH server is listening on this port.
Nessus ID 149334 - SSH Protocol Versions Supported Synopsis : The SSH server on the remote host accepts password authentication.
Nessus ID 10881 - SSH Password Authentication Accepted Synopsis : A SSH server is running on the remote host.
Nessus ID 153588 - SSH SHA-1 HMAC Algorithms Enabled Synopsis : The remote SSH server is configured to enable SHA-1 HMAC algorithms.
Nessus ID 10267 - SSH Server Type and Version Information Synopsis : An SSH server is listening on this port.
Nessus ID 56984 - SSL / TLS Versions Supported Synopsis : The remote service encrypts communications.
tcp/443/www : This port supports TLSv1.3/TLSv1.2.
Nessus ID 45410 - SSL Certificate ‘commonName’ Mismatch Synopsis : The ‘commonName’ (CN) attribute in the SSL certificate does not match the hostname.
Nessus ID 10863 - SSL Certificate Information Synopsis : This plugin displays the SSL certificate.
Nessus ID 21643 - SSL Cipher Suites Supported Synopsis : The remote service encrypts communications using SSL.
Nessus ID 57041 - SSL Perfect Forward Secrecy Cipher Suites Supported Synopsis : The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.
Nessus ID 156899 - SSL/TLS Recommended Cipher Suites Synopsis : The remote host advertises discouraged SSL/TLS ciphers.
The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined below: High Strength Ciphers (>= 112-bit key) Name Code KEX Auth Encryption MAC
DHE-RSA-AES-128-CCM-AEAD 0xC0, 0x9E DH RSA AES-CCM(128) AEAD DHE-RSA-AES-128-CCM8-AEAD 0xC0, 0xA2 DH RSA AES-CCM8(128) AEAD DHE-RSA-AES-256-CCM-AEAD 0xC0, 0x9F DH RSA AES-CCM(256) AEAD DHE-RSA-AES-256-CCM8-AEAD 0xC0, 0xA3 DH RSA AES-CCM8(256) AEAD DHE-RSA-CHACHA20-POLY1305 0xCC, 0xAA DH RSA ChaCha20-Poly1305(256) SHA256 The fields above are : {Tenable ciphername} {Cipher ID code} Kex={key exchange} Auth={authentication} Encrypt={symmetric encryption method} MAC={message authentication code} {export flag}
Nessus ID 22964 - Service Detection Synopsis : The remote service could be identified.
tcp/80 : A web server is running on this port. tcp/443 : A TLSv1.2 server answered on this port. tcp/443 : A web server is running on this port through TLSv1.2.
Nessus ID 42822 - Strict Transport Security (STS) Detection Synopsis : The remote web server implements Strict Transport Security.
Ports: 80,443
Nessus ID 62564 - TLS NPN Supported Protocol Enumeration Synopsis : The remote service advertises one or more protocols as being supported over TLS.
Nessus ID 87242 - TLS Next Protocols Supported Synopsis : The remote host supports the TLS NPN extension.
Nessus ID 84821 - TLS ALPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS ALPN extension.
Nessus ID 136318 - TLS Version 1.2 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.
Nessus ID 138330 - TLS Version 1.3 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.
Solution: The ability to control these globally is included in TrueNAS. If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.
Nessus ID 10386 - Web Server No 404 Error Code Check Synopsis : The remote web server does not return 404 error codes.
Ports 80, 443
All invalid URLS are redirected to the signin page.
Nessus ID 106375 - nginx HTTP Server Detection Synopsis : The nginx HTTP server was detected on the remote host.
Ports 80, 443
amd64-microcode 3.20220411.1: CVE-2019-9836
apache2 2.4.52: CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813
apparmor 2.13.6: CVE-2016-1585
avahi: CVE-2021-3468
bind 9.16.27: CVE-2022-38178 CVE-2021-25220 CVE-2021-25220 CVE-2021-25220 CVE-2022-2795 CVE-2022-38177 CVE-2022-38178
busybox: CVE-2021-28831 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42383 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-28391
cifs-utils: CVE-2022-27239 CVE-2022-29869
consul 1.8.7: CVE-2021-37219 CVE-2021-38698 CVE-2021-41803 CVE-2022-24687 CVE-2022-29153 CVE-2022-3920 CVE-2022-40716
coreutils 8.32: CVE-2016-2781
cpio 2.13: CVE-2021-38185
curl 7.74.0: CVE-2022-32221
dbus dbus 1.12.20-2 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012
dnsmasq 2.85: CVE-2022-0934
dpkg 1.20.9: CVE-2022-1664 CVE-2022-1664
e2fsprogs 1.46.2: CVE-2022-1304
exim4 4.94.2: CVE-2021-38371 CVE-2022-3559 CVE-2021-38371 CVE-2022-3559 CVE-2021-38371 CVE-2022-3559
firmware-linux: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2021-23168 CVE-2021-23223 CVE-2021-37409 CVE-2021-44545 CVE-2022-21181
firmware-linux-nonfree: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2021-23168 CVE-2021-23223 CVE-2021-37409 CVE-2021-44545 CVE-2022-21181
git 2.30.2: CVE-2022-24765 CVE-2022-29187 CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260
gnupg 2.2.27: CVE-2022-34903
gnutls28: CVE-2021-4209 CVE-2022-2509 CVE-2021-4209 CVE-2022-2509
gzip 1.10: CVE-2022-1271
intel-microcode: CVE-2022-21233
isc-dhcp-client 4.4.1-2.3 CVE-2022-2928 CVE-2022-2929
keepalived: CVE-2021-44225
krb5-user 1.18.3-6+deb11u2: CVE-2022-42898
libapparmor1: CVE-2016-1585
libarchive13: CVE-2022-36227
libavahi: CVE-2021-3468
libblas3: CVE-2021-4048
libbpf0: CVE-2021-45940 CVE-2021-45941 CVE-2022-3534 CVE-2022-3606
libcairo-gobject2: CVE-2017-7475 CVE-2018-18064 CVE-2019-6461 CVE-2019-6462
libcom-err2 : CVE-2022-1304
libconfuse: CVE-2022-40320
libcpupower1: CVE-2013-7445 CVE-2018-12928 CVE-2019-19378 CVE-2019-19449 CVE-2019-19814 CVE-2019-20794 CVE-2020-0347 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-14304 CVE-2020-15802 CVE-2020-26140 CVE-2020-26142 CVE-2020-26143 CVE-2020-26555 CVE-2020-36516 CVE-2021-33061 CVE-2021-3669 CVE-2021-3714 CVE-2021-3759 CVE-2021-3847 CVE-2021-3864 CVE-2021-39686 CVE-2021-4037 CVE-2021-4149 CVE-2021-44879 CVE-2022-0480 CVE-2022-1184 CVE-2022-1247 CVE-2022-1280 CVE-2022-20421 CVE-2022-23825 CVE-2022-2663 CVE-2022-2873 CVE-2022-2961 CVE-2022-2978 CVE-2022-3061 CVE-2022-3169 CVE-2022-3176 CVE-2022-3303 CVE-2022-3344 CVE-2022-3424 CVE-2022-3523 CVE-2022-3524 CVE-2022-3535 CVE-2022-3542 CVE-2022-3545 CVE-2022-3564 CVE-2022-3565 CVE-2022-3566 CVE-2022-3567 CVE-2022-3586 CVE-2022-3594 CVE-2022-3621 CVE-2022-3623 CVE-2022-3628 CVE-2022-36280 CVE-2022-3640 CVE-2022-36402 CVE-2022-3646 CVE-2022-3649 CVE-2022-3707 CVE-2022-38096 CVE-2022-38457 CVE-2022-3903 CVE-2022-39188 CVE-2022-39189 CVE-2022-40133 CVE-2022-40307 CVE-2022-40768 CVE-2022-4095 CVE-2022-41218 CVE-2022-4129 CVE-2022-4139 CVE-2022-41848 CVE-2022-41849 CVE-2022-41850 CVE-2022-42895 CVE-2022-42896 CVE-2022-43750 CVE-2022-43945
libcurl3-gnutls: CVE-2022-32221 CVE-2022-35252
libcurl4: CVE-2022-32221
libdb5.3: CVE-2019-8457
libexpat1: CVE-2022-40674 CVE-2022-43680
libext2fs2: CVE-2022-1304
libgcrypt20: CVE-2021-33560
libgd3: CVE-2021-38115 CVE-2021-40812
libharfbuzz0b: CVE-2022-33068
libjpeg62-turbo: CVE-2021-46822
libksba 1.5.0-3: CVE-2022-3515
liblapack3: CVE-2021-4048
liblua: CVE-2019-6706 CVE-2020-24370 CVE-2021-43519
libmariadb3: CVE-2021-46669 CVE-2022-27376 CVE-2022-27377 CVE-2022-27378 CVE-2022-27379 CVE-2022-27380 CVE-2022-27381 CVE-2022-27382 CVE-2022-27383 CVE-2022-27384 CVE-2022-27385 CVE-2022-27386 CVE-2022-27387 CVE-2022-27444 CVE-2022-27445 CVE-2022-27446 CVE-2022-27447 CVE-2022-27448 CVE-2022-27449 CVE-2022-27451 CVE-2022-27452 CVE-2022-27455 CVE-2022-27456 CVE-2022-27457 CVE-2022-27458 CVE-2022-32081 CVE-2022-32082 CVE-2022-32083 CVE-2022-32084 CVE-2022-32085 CVE-2022-32086 CVE-2022-32087 CVE-2022-32088 CVE-2022-32089 CVE-2022-32091 CVE-2022-38791
libmodbus5: CVE-2022-0367
libncurses6: CVE-2022-29458
libnss: CVE-2022-3821
libpam: CVE-2022-3821
libperl: CVE-2020-16156
libpng16: CVE-2022-3857
libpolkit: CVE-2016-2568
libpq5: CVE-2022-1552 CVE-2022-2625
libprotobuf: CVE-2022-33070 CVE-2021-22569 CVE-2021-22570 CVE-2022-1941 CVE-2022-3171 CVE-2022-3509 CVE-2022-3510
librados2: CVE-2021-3979 CVE-2022-0670 CVE-2022-3650 CVE-2022-3854
librbd1: CVE-2021-3979 CVE-2022-0670 CVE-2022-3650 CVE-2022-3854
libsepol1: CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087
libsndfile1: CVE-2021-4156
libsnmp: CVE-2022-44792
libsqlite3: CVE-2021-45346
libss2: CVE-2022-1304
libssl1.1: CVE-2022-2068 CVE-2022-2097
libtasn1-6: CVE-2021-46848
libsystemd0: CVE-2022-3821
libtiff: CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-34526 CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3970
libtinfo6: CVE-2022-29458
libunbound8 : CVE-2022-30698 CVE-2022-30699 CVE-2022-3204
libusbredirparser1: CVE-2021-3700
libvarnishapi2: CVE-2022-45060
libvirglrenderer1: CVE-2022-0135
libvirt 7.6.0: CVE-2021-3631 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897
libxml2: CVE-2016-3709 CVE-2022-40303 CVE-2022-40304
linx-perf 5.10.140-1: CVE-2013-7445 CVE-2018-12928 CVE-2019-19378 CVE-2019-19449 CVE-2019-19814 CVE-2019-20794 CVE-2020-0347 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-14304 CVE-2020-15802 CVE-2020-26140 CVE-2020-26142 CVE-2020-26143 CVE-2020-26555 CVE-2020-36516 CVE-2021-33061 CVE-2021-3669 CVE-2021-3714 CVE-2021-3759 CVE-2021-3847 CVE-2021-3864 CVE-2021-39686 CVE-2021-4037 CVE-2021-4149 CVE-2021-44879 CVE-2022-0480 CVE-2022-1184 CVE-2022-1247 CVE-2022-1280 CVE-2022-20421 CVE-2022-23825 CVE-2022-2663 CVE-2022-2873 CVE-2022-2961 CVE-2022-2978 CVE-2022-3061 CVE-2022-3169 CVE-2022-3176 CVE-2022-3303 CVE-2022-3344 CVE-2022-3424 CVE-2022-3523 CVE-2022-3524 CVE-2022-3535 CVE-2022-3542 CVE-2022-3545 CVE-2022-3564 CVE-2022-3565 CVE-2022-3566 CVE-2022-3567 CVE-2022-3586 CVE-2022-3594 CVE-2022-3621 CVE-2022-3623 CVE-2022-3628 CVE-2022-36280 CVE-2022-3640 CVE-2022-36402 CVE-2022-3646 CVE-2022-3649 CVE-2022-3707 CVE-2022-38096 CVE-2022-38457 CVE-2022-3903 CVE-2022-39188 CVE-2022-39189 CVE-2022-40133 CVE-2022-40307 CVE-2022-40768 CVE-2022-4095 CVE-2022-41218 CVE-2022-4129 CVE-2022-4139 CVE-2022-41848 CVE-2022-41849 CVE-2022-41850 CVE-2022-42895 CVE-2022-42896 CVE-2022-43750 CVE-2022-43945 CVE-2022-44032 CVE-2022-44033 CVE-2022-44034 CVE-2022-45884 CVE-2022-45885 CVE-2022-45886 CVE-2022-45887 CVE-2022-45888 CVE-2022-45919 CVE-2022-45934
logsave 1.46.2: CVE-2022-1304
mariadb-common 1:10.5.15: CVE-2021-46669 CVE-2022-27376 CVE-2022-27377 CVE-2022-27378 CVE-2022-27379 CVE-2022-27380 CVE-2022-27381 CVE-2022-27382 CVE-2022-27383 CVE-2022-27384 CVE-2022-27385 CVE-2022-27386 CVE-2022-27387 CVE-2022-27444 CVE-2022-27445 CVE-2022-27446 CVE-2022-27447 CVE-2022-27448 CVE-2022-27449 CVE-2022-27451 CVE-2022-27452 CVE-2022-27455 CVE-2022-27456 CVE-2022-27457 CVE-2022-27458 CVE-2022-32081 CVE-2022-32082 CVE-2022-32083 CVE-2022-32084 CVE-2022-32085 CVE-2022-32086 CVE-2022-32087 CVE-2022-32088 CVE-2022-32089 CVE-2022-32091 CVE-2022-38791
mc 4.8.26: CVE-2021-36370
ncurses 6.2: CVE-2022-29458
nginx: CVE-2013-0337 CVE-2020-36309 CVE-2022-41741 CVE-2022-41742
ntfs3g: CVE-2022-40284
open-vm-tools 11.2.5: CVE-2009-1143
openvpn 2.5.1-3: CVE-2022-0547
opensc 0.21.0: CVE-2021-42778 CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782
openssh 8.4: CVE-2021-41617
openssl 1.1.1n: CVE-2022-2097 CVE-2022-2068 CVE-2022-0547
openvpn 2.5.1: CVE-2022-0547
ovmf 2020.11: CVE-2019-14560 CVE-2021-28216 CVE-2021-38575 CVE-2021-38576 CVE-2021-38577 CVE-2021-38578
perl 5.32.1: CVE-2020-16156
pixman 0.40.0-1: CVE-2022-44638
policykit-1: CVE-2016-2568
python 2.7: CVE-2015-20107 CVE-2021-23336 CVE-2021-4189
python 3.9: CVE-2021-29921 CVE-2015-20107 CVE-2020-10735 CVE-2020-13757 CVE-2020-25658 CVE-2021-29921 CVE-2021-3426 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2021-21240 CVE-2021-23437 CVE-2021-33430 CVE-2021-46823 CVE-2022-2309 CVE-2022-0391 CVE-2022-0718 CVE-2022-40023 CVE-2022-42919 CVE-2022-45061 CVE-2022-45198
qemu: CVE-2019-12067 CVE-2020-14394 CVE-2020-15469 CVE-2020-25741 CVE-2020-25742 CVE-2020-25743 CVE-2020-35503 CVE-2020-35504 CVE-2020-35505 CVE-2021-20196 CVE-2021-20203 CVE-2021-20255 CVE-2021-3507 CVE-2021-3735 CVE-2021-3750 CVE-2021-3930 CVE-2022-0216 CVE-2022-3872 CVE-2022-4144
rclone 1.56.1: CVE-2019-11840
rsync 3.2.3: CVE-2022-29154
shim-unsigned 15.4: CVE-2022-28737
snmpd 5.9: CVE-2022-44792 CVE-2022-44793
sqlite3 3.34.1: CVE-2021-45346
systemd 247.3: CVE-2022-3821
sysstat 12.5.2-2: CVE-2022-39377
udev 247.3: CVE-2022-3821
vim: CVE-2021-31879 CVE-2021-3872 CVE-2021-4019 CVE-2022-0261 CVE-2022-0351 CVE-2022-0359 CVE-2022-0361 CVE-2022-0417 CVE-2022-0572 CVE-2022-1616 CVE-2022-1785 CVE-2022-1897 CVE-2022-1942 CVE-2022-2000 CVE-2022-2129 CVE-2022-2304 CVE-2022-3099 CVE-2022-3134 CVE-2022-3324 CVE-2022-4141
wayland 1.18.0: CVE-2021-3782
Exposed services should be hardened according to your security needs and according to what your deployed environment will allow. There is no “One size fits all” solution. If you have questions or concerns ad have a support contract with iXsystems; contact your support representative. An example of services that may warrant hardening would be: nginx, ntp, openipmi, rpcbind, ssh, winbind, wsdd, etc
Back to SCALE Archive
