iXsystems Vulnerability Ratings

iXsystems reviews potential vulnerabilities and assigns ratings to these based on their impact to TrueNAS or TrueNAS-related products. When a rating is assigned, iXsystems applies the related policy.

Rating	Definition	iXsystems Policy	Example
Critical	Remote Exploits by Unprivileged users. Services that can be exploited by network attacks from users with non-root level privileges. In particular attacks against TrueNAS while the system is being operated following iXsystems security best practices for operation.	These exploits are disclosed with mitigation instructions and if possible, and patched within 30 days of discovery.	Attacking SSH, SMB or Middleware Services from the network with no authentication, or users authenticated without “root” level privileges.
Medium	Exploits which can be executed by LOCAL users on the system, I.E. SSH or the console directly, when the TrueNAS is being operated in a manner counter to iX security best practices for operation.	These exploits are disclosed with mitigation instructions and if possible, scheduled for patching in subsequent updates.	Users have been given SSH access to a system, and via their local shell are able to gain privileges by exploiting vulnerabilities.
Low	Exploits in packages which can only be executed by a privileged user (I.E. root or equivalent).	As root users already have access to the entire stack, there is no tangible benefit to exploitation of vulnerabilities at this layer. These issues will be noted in security notes and updates will be scheduled when appropriate.	Root API users can craft an API submission in a way which triggers an exploit in a dependent library.
False Positive	Exploits incorrectly identified by common vulnerability scanners.	These do not pose any threat to TrueNAS or TrueCommand but are shared in the security reports with rationale as a courtesy to users who run their own scans.	N/A

Back