Security Report for TrueNAS SCALE 22.12.2

This is a security scan report of a default install of TrueNAS SCALE 22.12.12. When enabled, TrueNAS system services must be properly configured to prevent introducing any additional threat vectors. Follow industry best practices and the TrueNAS Documentation. If assistance is required, contact the iXsystems Support Team. If you are concered about results from a separate security audit that finds issues that are not listed below, contact the iXsystems Support Team for assistance.

  • Known Issues: 807 (See bottom of report)
  • False Flags: 0
  • Critical Severity Alerts: 0
  • High Severity Alerts: 0
  • Medium Severity Alerts: 3
  • Low Severity Alerts: 1
  • Information Alerts: 40


Security Scan Results

*Medium Severity Alerts: 3


Nessus Alert ID 51192 - SSL Certificate Cannot Be Trusted Synopsis: The SSL certificate for this service cannot be trusted.


Nessus Alert ID 57582 - SSL Self-Signed Certificate Synopsis: The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Solution: Install a proper SSL Certification to resolve these issues. Refer to the TrueNAS SCALE User Guide.


Nessus Alert ID 45411 - SSL Certificate with Wrong Hostname Synopsis: The SSL certificate for this service is for a different host.


Low Severity Alerts: 1


Nessus ID 70658 - SSH Server CBC Mode Ciphers Enabled Synopsis : An SSH server is listening on this port.


Information Alerts: 40

The remaining alerts are items that can be flagged as a security vulnerability by automated security scans, but are not vulnerabilities. For example, one of the listed alerts flags that TrueNAS uses an nginx web server. TrueNAS uses a web server to provide a User Interface for system configuration. This is a normal part of TrueNAS operation. The TrueNAS nginx server is current and contains all the latest security patches. If you have more specific security concerns regarding any of these alerts, please contact the iXsystems Support Team.


Nessus ID 19506 - Nessus Scan Information Synopsis : This plugin displays information about the Nessus scan.

Information about 10.4.1 Plugin feed version : 202304021354


Nessus ID 10107 - HTTP Server Type and Version Synopsis : A web server is running on the remote host.

The remote web server type is : nginx The remote web server type is : Python/3.8 aiohttp/3.6.2 Ports 80, 443, 600


Nessus ID 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis : It is possible to determine the exact time set on the remote host.


Nessus ID 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure Synopsis : It was possible to obtain the network name of the remote host.


Nessus ID 10223 - RPC portmapper Service Detection Synopsis: An ONC RPC service is running on the remote host.. Port 111

udp/111/rpc-portmapper


Nessus ID 10267 - SSH Server Type and Version Information Synopsis : An SSH server is listening on this port.


Nessus ID 10287 - Traceroute Information Synopsis : It was possible to obtain traceroute information.


Nessus ID 10386 - Web Server No 404 Error Code Check Synopsis : The remote web server does not return 404 error codes.

Ports 80, 443

All invalid URLS are redirected to the signin page.


Nessus ID 10863 - SSL Certificate Information Synopsis : This plugin displays the SSL certificate.


Nessus ID 10881 - SSH Password Authentication Accepted Synopsis : A SSH server is running on the remote host.


Nessus ID 11111 - RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host.. Port 111

The following RPC services are available on TCP port 111 :

  • program: 100000 (portmapper), version: 4
  • program: 100000 (portmapper), version: 3
  • program: 100000 (portmapper), version: 2

Nessus ID 11219 - Nessus SYN scanner Synopsis : It is possible to determine which TCP ports are open.

Ports 80, 111, 443, 6000


Nessus ID 11936 - OS Identification Synopsis : It is possible to guess the remote operating system.


Nessus ID 12053 - Host Fully Qualified Domain Name (FQDN) Resolution Synopsis : It was possible to resolve the name of the remote host.


Nessus ID 21643 - SSL Cipher Suites Supported Synopsis : The remote service encrypts communications using SSL.


Nessus ID 22964 - Service Detection Synopsis : The remote service could be identified.

tcp/80 : A web server is running on this port. tcp/443 : A TLSv1.2 server answered on this port. tcp/443 : A web server is running on this port through TLSv1.2.


Nessus ID 24260 - HyperText Transfer Protocol (HTTP) Information Synopsis : Some information about the remote HTTP configuration can be extracted.

Ports 80, 443, 6000


Nessus ID 25220 - TCP/IP Timestamps Supported Synopsis : The remote service implements TCP timestamps.


Nessus ID 42822 - Strict Transport Security (STS) Detection Synopsis : The remote web server implements Strict Transport Security.

Ports: 80,443


Nessus ID 42823 - Non-compliant Strict Transport Security (STS) Synopsis: The remote web server implements Strict Transport Security incorrectly. Port 80

The Strict-Transport-Security header must not be sent over an unencrypted channel. Port 443 The response from the web server listening on port 80:

  • does not contain a Status-Code of 301.
  • does not contain a Location header field.

If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.


*Nessus ID 45410 - SSL Certificate ‘commonName’ Mismatch Synopsis: The ‘commonName’ (CN) attribute in the SSL certificate does not match the hostname.


Nessus ID 45590 - Common Platform Enumeration (CPE) Synopsis: It was possible to enumerate CPE names that matched on the remote system.

Response:

The remote operating system matched the following CPE : cpe:/o:microsoft:windows_vista


Nessus ID 46215 - Inconsistent Hostname and IP Address Synopsis: It was possible to enumerate CPE names that matched on the remote system.


Nessus ID 53335 - RPC portmapper (TCP) Synopsis: An ONC RPC service is running on the remote host.. Port 111

tcp/111/rpc-portmapper


Nessus ID 54615 - Device Type Synopsis: It is possible to guess the remote device type.


Nessus ID 56984 - SSL / TLS Versions Supported Synopsis : The remote service encrypts communications.

tcp/443/www : This port supports TLSv1.3/TLSv1.2.


Nessus ID 57041 - SSL Perfect Forward Secrecy Cipher Suites Supported Synopsis : The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.


Nessus ID 62564 - TLS NPN Supported Protocol Enumeration Synopsis : The remote service advertises one or more protocols as being supported over TLS.


Nessus ID 70657 - SSH Algorithms and Languages Supported Synopsis : An SSH server is listening on this port.


Nessus ID 84821 - TLS ALPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS ALPN extension.


Nessus ID 87242 - TLS NPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS NPN extension.


Nessus ID 106375 - nginx HTTP Server Detection Synopsis : The nginx HTTP server was detected on the remote host.

Ports 80, 443


Nessus ID 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided Synopsis : Nessus was able to find common ports used for local checks, however, no credentials were provided in the scan policy.


Nessus ID 117886 - OS Security Patch Assessment Not Available Synopsis : OS Security Patch Assessment is not available.


Nessus ID 122364 - Python Remote HTTP Detection Synopsis: Python is running on the remote host. Port 6000

Path : / Version : 3.9 Product : Python


Nessus ID 136318 - TLS Version 1.2 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.


Nessus ID 138330 - TLS Version 1.3 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.

Solution: The ability to control these globally is included in TrueNAS. If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.


Nessus ID 149334 - SSH Protocol Versions Supported Synopsis : The SSH server on the remote host accepts password authentication.


Nessus ID 153588 - SSH SHA-1 HMAC Algorithms Enabled Synopsis : The remote SSH server is configured to enable SHA-1 HMAC algorithms.


Nessus ID 156899 - SSL/TLS Recommended Cipher Suites Synopsis : The remote host advertises discouraged SSL/TLS ciphers.

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined below: High Strength Ciphers (>= 112-bit key) Name Code KEX Auth Encryption MAC


DHE-RSA-AES-128-CCM-AEAD 0xC0, 0x9E DH RSA AES-CCM(128) AEAD DHE-RSA-AES-128-CCM8-AEAD 0xC0, 0xA2 DH RSA AES-CCM8(128) AEAD DHE-RSA-AES-256-CCM-AEAD 0xC0, 0x9F DH RSA AES-CCM(256) AEAD DHE-RSA-AES-256-CCM8-AEAD 0xC0, 0xA3 DH RSA AES-CCM8(256) AEAD DHE-RSA-CHACHA20-POLY1305 0xCC, 0xAA DH RSA ChaCha20-Poly1305(256) SHA256 The fields above are : {Tenable ciphername} {Cipher ID code} Kex={key exchange} Auth={authentication} Encrypt={symmetric encryption method} MAC={message authentication code} {export flag}



Known Issues : 807

KNOWN CVES

amd64-microcode 3.20191218.1: CVE-2019-9836

apache2 2.4.54-1: CVE-2023-25690 CVE-2006-20001 CVE-2022-26377 CVE-2022-30522 CVE-2022-28615 CVE-2022-31813 CVE-2022-37436 CVE-2022-36760 CVE-2022-29404 CVE-2023-27522 CVE-2022-30556 CVE-2022-28614

bash 5.1-2: CVE-CVE-2022-3715

busybox 1:1.30.1: CVE-2021-42378 CVE-2021-42383 CVE-2021-28831 CVE-2021-42380 CVE-2021-42385 CVE-2021-42377 CVE-2021-42381 CVE-2021-42384 CVE-2021-42386 CVE-2021-42379 CVE-2021-42382

cifs-utils: CVE-2022-27239 CVE-2022-29869

consul 1.8.7: CVE-2021-38698 CVE-2021-37219

coreutils 8.32: CVE-2016-2781

cpio 2.13: CVE-2021-38185

cryptsetup 1.8.7-6: CVE-2021-4122

curl 7.74.0: CVE-2022-27778 CVE-2022-22576 CVE-2023-23915 CVE-2022-32221 CVE-2022-27774 CVE-2022-32207 CVE-2022-27776 CVE-2021-22946 CVE-2022-42915 CVE-2021-22924 CVE-2022-27782 CVE-2022-27781 CVE-2021-22947 CVE-2023-27535 CVE-2023-27536 CVE-2022-27780 CVE-2022-30115 CVE-2023-27537 CVE-2022-35252 CVE-2021-22945 CVE-2022-32208 CVE-2022-43552 CVE-2023-23914 CVE-2022-32206 CVE-2022-35260 CVE-2022-43551 CVE-2023-27534 CVE-2023-27538 CVE-2022-32205 CVE-2023-23916 CVE-2022-42916 CVE-2021-22898 CVE-2022-27775 CVE-2023-27533 CVE-2022-27779

dbus dbus 1.12.20-2 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012

dpkg 1.20.12: CVE-2022-1664

e2fsprogs 1.46.2: CVE-2022-1304

git 2.30.2: CVE-2022-24765 CVE-2022-39253 CVE-2022-29187 CVE-2022-41903 CVE-2022-23521 CVE-2023-22490 CVE-2023-23946 CVE-2022-39260

gzip: CVE-2022-1271

haproxy 2.2.9: CVE-2021-39242 CVE-2023-25725 CVE-2021-39240 CVE-2021-39241 CVE-2022-0711 CVE-2023-0056 CVE-2023-0836 CVE-2021-40346

intel-microcode 3.20220510.1: CVE-2022-21125 CVE-2022-21127 CVE-2022-21151 CVE-2022-21216 CVE-2022-38090 CVE-2022-21123 CVE-2022-21233 CVE-2022-33972 CVE-2022-21166 CVE-2022-33196

keepalived: CVE-2021-44225

less: CVE-2022-46663

libgcrypt20 1.8.7-6: CVE-2021-33560

libhttp-daemon-perl 6.12-1: CVE-2022-31081

libtasn1-6: CVE-2021-46848

libxml2 2.9.10: CVE-2016-3709 CVE-2022-29824 CVE-2022-40303 CVE-2022-23308 CVE-2022-40304

logrotate 3.18: CVE-2022-1348

mc 4.8.26: CVE-2021-36370

nginx: CVE-2020-36309 CVE-2022-41742 CVE-2022-41741 CVE-2021-3618

ntfs3g: CVE-2021-39257 CVE-2021-39260 CVE-2022-30787 CVE-2021-39254 CVE-2021-39256 CVE-2021-39258 CVE-2022-30786 CVE-2022-40284 CVE-2021-35268 CVE-2021-39253 CVE-2021-39262 CVE-2022-30785 CVE-2021-33289 CVE-2021-35266 CVE-2021-39252 CVE-2021-39255 CVE-2021-39259 CVE-2022-30788 CVE-2021-33286 CVE-2021-35267 CVE-2021-39263 CVE-2022-30783 CVE-2022-30784 CVE-2022-30789 CVE-2021-33287 CVE-2021-35269 CVE-2021-39251 CVE-2021-39261 CVE-2021-33285 CVE-2021-46790

opensc 0.21.0: CVE-2021-42778 CVE-2021-42782 CVE-2021-42779 CVE-2021-42780 CVE-2021-42781

openssl 1.1.1s: CVE-2022-2274 CVE-2023-0216 CVE-2022-3786 CVE-2022-2097 CVE-2022-4203 CVE-2022-3358 CVE-2023-0286 CVE-2023-0215 CVE-2022-4450 CVE-2022-3602 CVE-2022-3996 CVE-2022-4304 CVE-2023-0217 CVE-2023-0401 CVE-2022-2068

open-vm-tools: CVE-2022-31676 CVE-2009-1143

openvpn 2.5.1: CVE-2022-0547

perl 5.32.1: CVE-2021-36770 CVE-2020-16156

policykit-1: CVE-2021-4034 CVE-2021-4115

rsync 3.2.3: CVE-2022-29154

sqlite3: CVE-2022-46908

squashfs-tools: CVE-2021-40153 CVE-2021-41072

sudo 1.9.5: CVE-2023-22809 CVE-2023-28487 CVE-2023-28486 CVE-2023-27320

syslog-ng 3.28.1-2: CVE-2022-38725

sysstat 2.5.2-2: CVE-2022-39377

systemd 247.3-7: CVE-2022-3821 CVE-2021-3997 CVE-2022-4415 CVE-2022-45873

unzip: CVE-2022-0529 CVE-2022-0530

util-linux: CVE-2021-3995 CVE-2021-3996

zsh: CVE-2021-45444



Service Hardening

Exposed services should be hardened according to your security needs and according to what your deployed environment will allow. There is no “One size fits all” solution. If you have questions or concerns ad have a support contract with iXsystems; contact your support representative. An example of services that may warrant hardening would be: nginx, ntp, openipmi, rpcbind, ssh, winbind, wsdd, etc

Back to SCALE Archive