Netatalk CVE Announcement

On March 21st 2022, the Netatalk project commited an update announcing 7 CVEs. Of those six affect AFP on TrueNAS 12.0 CVE-2022-23121 CVE-2022-23123 CVE-2022-23122 CVE-2022-23125 CVE-2022-23124 CVE-2022-0194 The CVEs only affect TrueNAS CORE. TrueNAS SCALE is not vulnerable. A fix for these CVEs has been completed, update any TrueNAS systems to version 12.0-U8.1 as soon as possible. iXsystems strongly recommends using the SMB or NFS sharing protocols. Users with different sharing protocols are encouraged to consider migrating.

CVE-2022-23125 : netatalk - copyapplfile Stack-based Buffer Overflow Remote Code Execution

Versions Affected : All versions prior to TrueNAS Core 12.0-U8.1.
To verify if a system isvulnerable, run afpd -v. Systems with a version string that is not 3.1.13 or newer are vulnerable.

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

CVE-2022-23124 : netatalk - get_finderinfo Out-Of-Bounds Read Information Disclosure

Versions Affected : All versions prior to TrueNAS Core 12.0-U8.1 To verify if a system isvulnerable, run afpd -v. Systems with a version string that is not 3.1.13 or newer are vulnerable.

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

CVE-2022-23123 : netatalk - getdirparams Out-Of-Bounds Read Information Disclosure

Versions Affected : All versions prior to TrueNAS Core 12.0-U8.1 To verify if a system isvulnerable, run afpd -v. Systems with a version string that is not 3.1.13 or newer are vulnerable.

Description

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

CVE-2022-23122 : netatalk - setfilparams Stack-based Buffer Overflow Remote Code Execution

Versions Affected : All versions prior to TrueNAS Core 12.0-U8.1 To verify if a system isvulnerable, run afpd -v. Systems with a version string that is not 3.1.13 or newer are vulnerable.

Description

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

CVE-2022-23121 : netatalk - parse_entries Improper Handling of Exceptional Conditions Remote Code Execution

Versions Affected : All versions prior to TrueNAS Core 12.0-U8.1 To verify if a system isvulnerable, run afpd -v. Systems with a version string that is not 3.1.13 or newer are vulnerable.

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

CVE-2022-0194 : netatalk - ad_addcomment Stack-based Buffer Overflow Remote Code Execution

Versions Affected : All versions prior to TrueNAS Core 12.0-U8.1

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

CVE-2022-0778 : Infinite loop in BN_mod_sqrt()

Versions Affected : All SCALE versions prior to TrueNAS SCALE 22.02.0.1. All CORE versions priot to TrueNAS CORE 12.0-U8.1

Description

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

FreeBSD-SA-22:01.vt : Timezone database information update

Versions Affected : All versions prior to TrueNAS 12.0-U8

Description

Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory.

FreeBSD-EN-22:04.pcid : Incorrect PCID mode invalidations

Versions Affected : All versions prior to TrueNAS 12.0-U8

Description

Operations specific to TLB invalidation in PCID mode were misordered with respect to IPI transmission.

FreeBSD-EN-22:03.hyperv : vPCI compatibility improvements

Versions Affected : All versions prior to TrueNAS 12.0-U8

Description

A Hyper-V vPCI emulation change can cause SR-IOV (Single-Root I/O Virtualization) and DDA (Discrete Device Assignment) devices to fail to operate correctly under Hyper-V.

FreeBSD-EN-22:01.xsave : Incorrect XSAVE state size

Versions Affected : All versions prior to TrueNAS 12.0-U8

Description

The hard-coded size for state region 1 (SSE/XMM) was incorrect, effectively filling the xmm8 through xmm15 registers with arbitrary values on signal return when the init optimization occurred.

Log4j Vulnerability Status

On December 13th, 2021 the US Cyber Security & Infrastructure Security Agency released an alert about a log4j vulnerabilities referred to as Log4j. This security vulnerability has been designated as CVE-2021-44228. The TrueNAS CORE 12.x releases, the TrueNAS SCALE 22.02 RC releases, and TrueCommand 2.x do not utilize log4j, and as a result iXsystems is pleased to report that these products are not vulnerable. However, iXsystems always encourages users to keep their TrueNAS and TrueCommand systems up to date to ensure they are running with the latest security patches at all times.

FreeBSD-EN-21:29.tzdata : Timezone database information update

Versions Affected : All versions prior to TrueNAS 12.0-U7

Description

Several changes in Daylight Saving Time transition dates happened after previous FreeBSD releases were released affecting many users in different parts of the world.

FreeBSD-EN-21:28.vmci : kernel panic in vmci driver initialization

Versions Affected : All versions prior to TrueNAS 12.0-U7

Description

An error during driver initialization results in a kernel panic due to unallocated resources being freed up.

FreeBSD-EN-21:27.caroot : Root certificate bundle update

Versions Affected : All versions prior to TrueNAS 12.0-U7

Description

Several certificates were removed from the bundle after the latest release of FreeBSD 12.2 and FreeBSD 13.0.

FreeBSD-SA-21:17.openssl : Multiple OpenSSL vulnerabilities

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

There are two issues fixed in this security advisory: CVE-2021-23840 & CVE-2021-23841

FreeBSD-SA-21:16.openssl : Multiple OpenSSL vulnerabilities

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

There are two issues fixed in this security advisory: CVE-2021-3711 & CVE-2021-3712

FreeBSD-SA-21:15.libfetch : libfetch out of bounds read

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes.

FreeBSD-SA-21:14.ggatec : Remote code execution in ggatec(8)

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).

FreeBSD-SA-21:13.bhyve : Missing error handling in bhyve(8) device models

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors.

FreeBSD-EN-21:25.bhyve : Fix NVMe iovec construction for large IOs

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

When a RHEL 8.4 and later (or variants) are installed as guests within bhyve(8) on emulated NVMe storage, the system will not boot due to a newer UEFI driver that is included with these distributions.

FreeBSD-EN-21:24.libcrypto : OpenSSL 1.1.1e API functions not exported

Versions Affected : All versions prior to TrueNAS 12.0-U6

Description

New API functions added in OpenSSL 1.1.1e and later were not publicly exported to applications.

FreeBSD-SA-21:22.linux_futex : Linux compatibility layer futex(2) system call vulnerability

Versions Affected : All versions prior to TrueNAS 12.0-U5

Description

A programming error in the Linux compatibility layer futex(2) system call might allow attackers to cause a denial of service

FreeBSD-SA-21:19.libcasper : libcasper assertion failure

Versions Affected : All versions prior to TrueNAS 12.0-U5

Description

libcasper(3) allows Capsicum-sandboxed applications to define and use system interfaces which are ordinarily disallowed. It is used by multiple programs in the base system, such as logger(1).

FreeBSD-SA-21:12.libradius : Incorrect validation in rad_get_attr(3)

Versions Affected : All versions prior to TrueNAS 12.0-U5

Description

The patch for FreeBSD-SA-21:12.libradius modified rad_get_attr(3) to verify that an attribute length smaller than the minimum required for the attribute type and length fields is disallowed.

FreeBSD-SA-21:12.libradius : Missing message validation in libradius(3)

Versions Affected : All versions prior to TrueNAS 12.0-U5

Description

libradius did not perform sufficient validation of received messages.

FreeBSD-SA-21:11.smap : SMAP bypass

Versions Affected : All versions prior to TrueNAS 12.0-U5

Description

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

FreeBSD-EN-21:14.pms : pms(4) data corruption

Versions Affected : All versions prior to TrueNAS 12.0-U4

Description

Two problems are fixed by this update. First, the pms(4) driver did not correctly handle the new kern.maxphys value set in FreeBSD 13.0. Second, the pms(4) driver did not correctly handle some error cases in the I/O path and would falsely report success to upper layers.

FreeBSD-EN-21:11.aesni : Race condition in aesni(4)

Versions Affected : All versions prior to TrueNAS 12.0-U4

Description

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

FreeBSD-SA-21:10.jail_mount : jail escape possible by mounting over jail root

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

Due to a race condition between lookup of “..” and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

FreeBSD-SA-21:09.accept_filter : Memory disclosure by stale virtual memory mapping

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

An unprivileged process can configure an accept filter on a listening socket.

FreeBSD-SA-21:08.vm : Memory disclosure by stale virtual memory mapping

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

A particular case of memory sharing is mishandled in the virtual memory system.

FreeBSD-EN-21:10.lldb : lldb abort on print command

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

Attempts to use lldb’s print command (p alias) resulted in lldb aborting.

FreeBSD-EN-21:09.pf : net.pf.request_maxcount not settable from loader.conf

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

The net.pf.request_maxcount sysctl provides an upper bound on the amount of memory used by pf(4) to store various types of state.

FreeBSD-SA-21:07.openssl : Multiple vulnerabilities in OpenSSL

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

This advisory covers two distinct OpenSSL issues: X509_V_FLAG_X509_STRICT & TLSv1.2 renegotiation ClientHello message.

FreeBSD-SA-21:05.jail_chdirn : jail_attach(2) relies on the caller to change the cwd

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

FreeBSD-SA-21:04.xen : Xen grant mapping error handling issues

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver.

FreeBSD-SA-21:04.jail_remove : jail_remove(2) fails to kill all jailed processes

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes.

FreeBSD-SA-21:03.pam_login_access : login.access fails to apply rules

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored.

FreeBSD-EN-21:08.freebsd-update : freebsd-update passwd regeneration

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

The existing logic to try and avoid regenerating passwd/login.conf files relies on timestamp comparisons between old and new files, with the caveat that it’s comparing the installed with a timestamp that has been clobbered to do the comparison.

FreeBSD-EN-21:07.caroot : Root certificate bundle update

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

Several certificates were removed from the bundle after the latest release of FreeBSD 12.2.

FreeBSD-EN-21:06.microcode : Boot-time microcode loading causes a boot hang

Versions Affected : All versions prior to TrueNAS 12.0-U3

Description

An interaction between the code which frees the unused portions of the microcode file and the rest of the system can cause boot hangs.

FreeBSD-SA-21:02.xenoom : Xen guests can triger backend Out Of Memory

Versions Affected : All versions prior to TrueNAS 12.0-U2

Description

Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch events using a single thread.

FreeBSD-SA-21:01.fsdisclosure : Uninitialized kernel stack leaks in several file systems

Versions Affected : All versions prior to TrueNAS 12.0-U2

Description

The FreeBSD kernel exports file system directory entries to userspace using the generic “dirent” structure.

FreeBSD-EN-21:04.zfs : zfs recv fails to propagate snapshot deletion

Versions Affected : All versions prior to TrueNAS 12.0-U2

Description

A regression in FreeBSD 12.2 causes zfs receive to fail to delete snapshots that have been deleted on the source side.

FreeBSD-EN-21:03.vnet : Panic when destroying VNET and epair simultaneously

Versions Affected : All versions prior to TrueNAS 12.0-U2

Description

Insufficient locking in the kernel meant that destroying an epair and a vnet jail at the same time often resulted in panics.

FreeBSD-EN-21:01.tzdata : Timezone database information update

Versions Affected : All versions prior to TrueNAS 12.0-U2

Description

Several changes in Daylight Savings Time happened after previous FreeBSD releases were released that would affect many people who live in different countries.

FreeBSD-SA-20:33.openssl : OpenSSL NULL pointer de-reference

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

The X.509 GeneralName type is a generic type for representing different types of names.

FreeBSD-SA-20:32.rtsold : Multiple vulnerabilities in rtsold

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

Two bugs exist in rtsold(8)’s RDNSS and DNSSL option handling.

FreeBSD-SA-20:31.icmp6 : ICMPv6 use-after-free error

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may extract information from the message to hand to upper-layer protocols.

FreeBSD-EN-20:22.callout : Race Condition in Callout CPU Migration

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

The bug may result in kernel panics under some workloads, typically in the softclock threads.

FreeBSD-EN-20:21.ipfw : Uninitialized variable in ipfw

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

A regression in FreeBSD 12.2 meant that ipfw(8) fwd commands referencing specific port numbers may configure the firewall incorrectly.

FreeBSD-EN-20:20.tzdata : Timezone database information update

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

Several changes in Daylight Saving Time happened after previous FreeBSD releases were released that would affect many people who live in different parts of the world.

FreeBSD-EN-20:19.audit : execve/fexecve system call auditing

Versions Affected : All versions prior to TrueNAS 12.0-U1

Description

All execve/fexecve system calls in affected versions will be reported as a failure, even upon successful execution.

Intel-2020-11-12.microcode : Intel Microcode Update

Versions Affected : All verisons prior to TrueNAS 12.0

Description

Intel Microcode Release 20201112

TrueNAS Software Development Life Cycle

TrueNAS Software Development Life Cycle The TrueNAS (and FreeNAS) software development life cycle (SDLC) is the process for planning, creating, testing, deploying, and maintaining FreeNAS and TrueNAS releases. In TrueNAS there are five stages to the SDLC: requirement analysis, design and development, testing and evaluation, documentation, and maintenance. Requirement analysis: Determine the objectives, nature, and scope of future versions of the software. This involves gathering feedback and interpreting customer needs and requirements, diagnosing existing problems, and weighing the pros and cons of potential solutions.