CVE-2020-11650 : Login DOS

Versions Affected : All verisons prior to FreeNAS/TrueNAS 11.2-u8 Description An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-u1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent. Workaround No workaround is available. Mitigation Upgrade to FreeNAS/TrueNAS 11.

New Security Defaults for Active Directory

Critical Information for Current FreeNAS and TrueNAS Users regarding Active Directory Microsoft is changing the security defaults for Active Directory to eliminate some security vulnerabilities in its protocols. These new security defaults are likely to disrupt existing FreeNAS and TrueNAS deployments once Windows systems are updated. Users not using Active Directory are unaffected by these Microsoft updates. The Windows updates may appear sometime in March 2020. *FreeNAS and TrueNAS users that utilize Active Directory should update to version 11.

CVE-2019-14907 : Samba Log Level

Versions Affected : All verisons prior to FreeNAS/TrueNAS 11.2-U8

Description

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with “log level = 3” (or above) then the string obtained from the client, after a failed character conversion, is printed.

CVE-2019-14870 : Samba AD DNS DoS

Versions Affected : All versions prior to FreeNAS 11.2-U8

Description

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable.

CVE-2019-14861 : Samba AD DNS DoS

Versions Affected : All versions prior to FreeNAS 11.2-U8

Description

An authenticated user can crash the DCE/RPC DNS management server by creating records matching the zone name in different case spelling.

CVE-2019-10197 : Samba Config

Versions Affected : All versions prior to FreeNAS 11.2-U6

Description

A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3, when certain parameters were set in the samba configuration file.

CVE-2019-3880 : Samba RPC Endpoint Emulation

Versions Affected : All versions prior to FreeNAS 11.2-U4

Description

A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API.