Security Report for TrueNAS 13.0-U5 and 13.0-U5.1

This is a security scan report of a default install of TrueNAS 13.0-U5 and 13.0-U5.1. When enabled, TrueNAS system services must be properly configured to prevent introducing any additional threat vectors. Follow industry best practices and the TrueNAS Documentation. If assistance is required, contact the iXsystems Support Team. If a separate security audit finds issues that are not listed below, contact the iXsystems Support Team for assistance.

This security report has two sections, the first is the finding from pkg audit of the system and second is the results from nessus scans of the system

Known Issues: 14
False Flags: 0
Critical Severity Alerts: 0
High Severity Alerts: 0
Medium Severity Alerts: 0
Low Severity Alerts: 0
Information Alerts: 26

Known Issues

py39-configobj-5.0.6_1

CVE: CVE-2023-26112 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.*)). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. TruenAS Information: Not exposed - Only exploitable by privileged local user who already has full access to the system. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122070

git-lite-2.34.1

CVE: CVE-2022-39260 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2022-39260 Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git’s push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell access via remote logins is a viable short-term workaround. TruenAS Information: Not exposed - Only exploitable by privileged local user who already has full access to the system, git shell not accessible via SSH. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122071

CVE: CVE-2022-39253 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2022-39253 Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source’s $GIT_DIR/objects directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via --no-hardlinks). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim’s machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the --recurse-submodules option. Git does not create symbolic links in the $GIT_DIR/objects directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the --local optimization when on a shared machine, either by passing the --no-local option to git clone or cloning from a URL that uses the file:// scheme. Alternatively, avoid cloning repositories from untrusted sources with --recurse-submodules or run git config --global protocol.file.allow user. TruenAS Information: Not exposed - Only exploitable by privileged local user who already has full access to the system, git shell not accessible via SSH. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122071

git

CVE: CVE-2023-29007 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-29007 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user’s $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config. TruenAS Information: Not exposed - iXsystems has determined that this vulnerability is not applicable to TrueNAS due to the lack of exposure of this utility. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122072

CVE: CVE-2023-25652 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-25652 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists. TruenAS Information: Not exposed - iXsystems has determined that this vulnerability is not applicable to TrueNAS due to the lack of exposure of this utility. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122072

minio-2021.12.27.07.23.18_1

CVE: CVE-2022-24842 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2022-24842 MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in RELEASE.2022-04-12T06-55-35Z. Users unable to upgrade may workaround this issue by explicitly adding a admin:CreateServiceAccount deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. TruenAS Information: Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122074

libxml2-2.9.12

CVE: CVE-2023-29469 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-29469 An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the ‘\0’ value). TruenAS Information: Under Investigation: https://ixsystems.atlassian.net/browse/NAS-122075

CVE: CVE-2023-28484 For more information see: https://nvd.nist.gov/vuln/detail/CVE-2023-29469 In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. TruenAS Information: Under Investigation: https://ixsystems.atlassian.net/browse/NAS-122075

squashfs-tools-4.3_1

CVE: CVE-2015-4645 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2015-4645 Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow. TruenAS Information: Not exposed - iXsystems has determined that this vulnerability is not applicable to TrueNAS due to the lack of exposure of this utility. This issue may be addressed in a future TrueNAS release. https://ixsystems.atlassian.net/browse/NAS-122076

pixman-0.40.0_1

CVE: CVE-2022-44638 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2022-44638 In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122077

py39-sentry-sdk-1.4.3

CVE: CVE-2023-28117 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2023-28117 Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have sendDefaultPII set to True; one must use a custom name for either SESSION_COOKIE_NAME or CSRF_COOKIE_NAME in one’s Django settings; and one must not be configured in one’s organization or project settings to use Sentry’s data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the sentry-sdk will detect the custom cookie names based on one’s Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK’s filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the before_send callback method and for performance related events (transactions) one can use the before_send_transaction callback method. Those who want to handle filtering of these values on the server-side can also use Sentry’s advanced data scrubbing feature to account for the custom cookie names. Look for the $http.cookies, $http.headers, $request.cookies, or $request.headers fields to target with a scrubbing rule. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122079

py39-cryptography-3.3.2

CVE: CVE-2023-0286 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2023-0286 There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122080

CVE: CVE-2023-23931 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2023-23931 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122080

py39-setuptools-57.0.0

CVE: CVE-2022-40897 For more info see: https://nvd.nist.gov/vuln/detail/CVE-2022-40897 Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. TruenAS Information: Under Investigation - https://ixsystems.atlassian.net/browse/NAS-122081

Security Scan Results

Information Alerts: 26

The remaining alerts are items that can be flagged as a security vulnerability by automated security scans, but are not vulnerabilities. For example, one of the listed alerts flags that TrueNAS uses an nginx web server. TrueNAS uses a web server to provide a User Interface for system configuration. This is a normal part of TrueNAS operation. The TrueNAS nginx server is current and contains all the latest security patches. If you have more specific security concerns regarding any of these alerts, please contact the iXsystems Support Team.

Nessus ID 10107 - HTTP Server Type and Version Synopsis : A web server is running on the remote host.

The remote web server type is : nginx The remote web server type is : Python/3.9 aiohttp/3.7.4.post0 Ports 80, 443, 6000

Nessus ID 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis : It is possible to determine the exact time set on the remote host.

If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.

Nessus ID 10287 - Traceroute Information Synopsis : It was possible to obtain traceroute information.

Nessus ID 10386 - Web Server No 404 Error Code Check Synopsis : The remote web server does not return 404 error codes.

Ports 80, 443

All invalid URLS are redirected to the signin page.

Nessus ID 10863 - SSL Certificate Information Synopsis : This plugin displays the SSL certificate.

Nessus ID 11219 - Nessus SYN scanner Synopsis : It is possible to determine which TCP ports are open.

Ports 80, 443, 6000

Nessus ID 11936 - OS Identification Synopsis: It is possible to guess the remote operating system.

Response:

Remote operating system : FreeBSD 10.3 Confidence level : 56

Nessus ID 19506 - Nessus Scan Information Synopsis : This plugin displays information about the Nessus scan.

Information about this scan : Nessus version : 10.5.2 Plugin feed version : 202305221003

Nessus ID 21643 - SSL Cipher Suites Supported Synopsis : The remote service encrypts communications using SSL.

Nessus ID 22964 - Service Detection Synopsis : The remote service could be identified.

tcp/80 : A web server is running on this port. tcp/443 : A TLSv1.2 server answered on this port. tcp/443 : A web server is running on this port through TLSv1.2.

Nessus ID 24260 - HyperText Transfer Protocol (HTTP) Information Synopsis : Some information about the remote HTTP configuration can be extracted.

Ports 80, 443, 6000

Nessus ID 25220 - TCP/IP Timestamps Supported Synopsis : The remote service implements TCP timestamps.

Nessus ID 42822 - Strict Transport Security (STS) Detection Synopsis : The remote web server implements Strict Transport Security.

Ports: 80,443

Nessus ID 42823 - Non-compliant Strict Transport Security (STS) Synopsis: The remote web server implements Strict Transport Security incorrectly. Port 80

The Strict-Transport-Security header must not be sent over an unencrypted channel. Port 443 The response from the web server listening on port 80:

does not contain a Status-Code of 301.

does not contain a Location header field.

If this is a concern in your operating environment, contact the iXsystems Support Team for assistance.

Nessus ID 45590 - Common Platform Enumeration (CPE) Synopsis: It was possible to enumerate CPE names that matched on the remote system.

Response:

The remote operating system matched the following CPE :
cpe:/o:freebsd:freebsd:10.3 -> FreeBSD Following application CPE’s matched on the remote system : cpe:/a:nginx:nginx -> Nginx cpe:/a:python:python:3.9 -> Python

Nessus ID 54615 - Device Type Synopsis: It is possible to guess the remote device type.

Response:

Remote device type : unknown Confidence level : 56

Nessus ID 56984 - SSL / TLS Versions Supported Synopsis : The remote service encrypts communications.

tcp/443/www : This port supports TLSv1.3/TLSv1.2.

Nessus ID 57041 - SSL Perfect Forward Secrecy Cipher Suites Supported Synopsis : The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if the key is stolen.

Nessus ID 62564 - TLS Next Protocols Supported Synopsis : The remote service advertises one or more protocols as being supported over TLS.

Nessus ID 84821 - TLS ALPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS ALPN extension.

Nessus ID 87242 - TLS NPN Supported Protocol Enumeration Synopsis : The remote host supports the TLS NPN extension.

Nessus ID 106375 - nginx HTTP Server Detection Synopsis : The nginx HTTP server was detected on the remote host.

Ports 80, 443

Nessus ID 122364 - Python Remote HTTP Detection Synopsis: Python is running on the remote host. Port 6000

Path : / Version : 3.9 Product : Python

Nessus ID 136318 - TLS Version 1.2 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.

Nessus ID 138330 - TLS Version 1.3 Protocol Detection Synopsis: The remote service encrypts traffic using a version of TLS.

Nessus ID 156899 - SSL/TLS Recommended Cipher Suites Synopsis : The remote host advertises discouraged SSL/TLS ciphers

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
 below:
 High Strength Ciphers (>= 112-bit key)
 Name Code KEX Auth Encryption MAC
 ---------------------- ---------- --- ---- --------------------- ---
 DHE-RSA-AES-128-CCM-AEAD 0xC0, 0x9E DH RSA AES-CCM(128) 
 AEAD
 DHE-RSA-AES-128-CCM8-AEAD 0xC0, 0xA2 DH RSA AES-CCM8(128) 
 AEAD
 DHE-RSA-AES-256-CCM-AEAD 0xC0, 0x9F DH RSA AES-CCM(256) 
 AEAD
 DHE-RSA-AES-256-CCM8-AEAD 0xC0, 0xA3 DH RSA AES-CCM8(256) 
 AEAD
 DHE-RSA-CHACHA20-POLY1305 0xCC, 0xAA DH RSA ChaCha20-Poly1305(256)
 SHA256
The fields above are :
 {Tenable ciphername}
 {Cipher ID code}
 Kex={key exchange}
 Auth={authentication}
 Encrypt={symmetric encryption method}
 MAC={message authentication code}
 {export flag}