...
...
...
...
...
...
...
Purpose
As one of the standard practices, organizations choose to protect their systems form known security vulnerabilities by running security scanners.
...
Below we have assembled a list of CVEs and SoftNAS responses that our customers have brought to our attention as the result of running a security scanner.
If you are planning to run a security scan, please Make sure you are on the latest appliance release and your security scan database is up to date, also keep in mind security scans always shows a lot of false-positives as several security scans just display the possible vulnerabilities based on the OS version without checking the package versions and if that version mitigated that vulnerability or not.
Resolution
| Vulnerability CVE IDs | Vulnerability Title | Resolution | |||
| 2017-9798 | Apache HTTPD: Use-after-free when using <Limit > with an unrecognized method in .htaccess (OptionsBleed) | Starting from SoftNAS 4.2, we are not using Apache anymore2017-9788Apache HTTPD: Uninitialized memory reflection in mod_auth_digest | 2017 | 7679 | Apache HTTPD: mod_mime Buffer Overread |
| CVE-2017-3169 | Apache HTTPD: mod_ssl Null Pointer Dereference | ||||
| CVE-2017-3167 | Apache HTTPD: ap_get_basic_auth_pw (Authentication Bypass) | ||||
| CVE-2016-8743 | Apache HTTPD: Apache HTTP Request Parsing Whitespace Defects | ||||
| CVE-2016-5387 | Apache HTTPD: HTTP_PROXY environment variable "httpoxy" mitigation | ||||
| CVE-2015-3183 | Apache HTTPD: HTTP request smuggling attack against chunked request parser | ||||
| CVE-2014-0231 | Apache HTTPD: mod_cgid denial of service | ||||
| CVE-2014-0226 | Apache HTTPD: mod_status buffer overflow | ||||
| CVE-2014-0118 | Apache HTTPD: mod_deflate denial of service | ||||
| CVE-2014-0098 | Apache HTTPD: mod_log_config crash | ||||
| CVE-2013-6438 | Apache HTTPD: mod_dav crash | ||||
| CVE-2013-5704 | Apache HTTPD: HTTP Trailers processing bypass | ||||
| CVE-2013-1896 | Apache HTTPD: mod_dav crash | ||||
| CVE-2013-1862 | Apache HTTPD: mod_rewrite log escape filtering | ||||
| CVE-2012-4558 | Apache HTTPD: XSS in mod_proxy_balancer | ||||
| CVE-2012-4557 | Apache HTTPD: mod_proxy_ajp remote DoS | ||||
| CVE-2012-3499 | Apache HTTPD: XSS due to unescaped hostnames | ||||
| CVE-2012-2687 | Apache HTTPD: XSS in mod_negotiation when untrusted uploads are supported | ||||
| CVE-2012-0883 | Apache HTTPD: insecure LD_LIBRARY_PATH handling | ||||
| CVE-2012-0053 | Apache HTTPD: error responses can expose cookies | ||||
| CVE-2012-0031 | Apache HTTPD: scoreboard parent DoS | ||||
| CVE-2011-4317 | Apache HTTPD: mod_proxy reverse proxy exposure | ||||
| CVE-2011-3607 | Apache HTTPD: mod_setenvif .htaccess privilege escalation | ||||
| CVE-2011-3368 | Apache HTTPD: mod_proxy reverse proxy exposure | ||||
| CVE-2011-3348 | Apache HTTPD: mod_proxy_ajp remote DoS | ||||
| CVE-2011-0419 | Apache HTTPD: apr_fnmatch flaw leads to mod_autoindex remote DoS | ||||
| CVE-2010-1623 | Apache HTTPD: apr_bridage_split_line DoS | ||||
| CVE-2009-3720 | Apache HTTPD: expat DoS | ||||
| CVE-2009-3560 | Apache HTTPD: expat DoS | ||||
CVE-2016-4975 | Apache HTTPD: mod_userdir CRLF injection | ||||
| CVE-2010-1452 | Apache HTTPD: mod_cache and mod_dav DoS | ||||
| CVE-2010-0386,CVE-2009-2823,CVE-2008-7253,CVE-2007-3008,CVE-2006-4683,CVE-2005-3398,CVE-2004-2763,CVE-2004-2320 | Apache HTTP TRACE Method Enabled | ||||
| CVE-2013-2566 | TLS/SSL Server Supports RC4 Cipher Algorithms | Fixed starting form 4.2 releaseNFS Exported Share Information Disclosure | Configure NFS on the remote host so that only authorized hosts can mount its remote shares. | ||
| CVE-2018-1160 | Netatalk OpenSession Remote Code Execution | Its ia an obselete protocol, you may disable is using the below commands: sed -i 's/^\(service netatalk restart\)/#\1/g' /var/www/softnas/scripts/start-nasservices.sh | |||
| Microsoft Windows SMB Shares Unprivileged Access | To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on 'permissions'. | ||||
| CVE-2011-3389 | TLS/SSL Server is enabling the BEAST attack | SoftNAS has these protocols disabled | |||
| CVE-2016-2183 | TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) | Fixed starting form 4.2 release | |||
| CVE-2003-1418 | Apache HTTPD: ETag Inode Information Leakage | Starting from SoftNAS 4.2, we are not using Apache anymore | |||
| CVE-2000-1200 | Anonymous users can obtain the Windows password policy | SoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access. | |||
| CVE-1999-0625 | Sensitive RPC 'rquotad' Service is Enabled | SoftNAS provides rquotad service by default. Access to the service should be firewalled from the public internet and access to it allowed only from the internal subnets that need access. | |||
| CVE-1999-0524 | ICMP timestamp response | SoftNAS appliance responds to ping, ICMP. ICMP protocol, however, should be firewalled from the public internet and access to it allowed only from the internal subnets that need access. | |||
| CVE-1999-0519 | CIFS NULL Session Permitted | SoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access. | |||
| CVE-2018-278 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2815 Java CPU April 2018 Java SE, Java SE Embedded, JRockit vulnerability | Java CPU April 2018 Java SE, Java SE Embedded vulnerability | ||||
CVE-2018-2794 CVE-2018-2800 | Java CPU April 2018 Java SE, JRockit vulnerability | ||||
CVE-2018-2811 | Java CPU April 2018 Java SE vulnerability | ||||
CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2603 CVE-2018-2618 CVE-2018-2633 CVE-2018-2637 CVE-2018-2663 CVE-2018-2678 | CVE-2018-2629 Java CPU January 2018 Java SE, Java SE Embedded, JRockit vulnerability | ||||
CVE-2018-2582 CVE-2018-2602 CVE-2018-2634 CVE-2018-2641 CVE-2018-2677 | Java CPU January 2018 Java SE, Java SE Embedded vulnerability | ||||
CVE-2018-2581 CVE-2018-2627 CVE-2018-2638 CVE-2018-2639 | Java CPU January 2018 Java SE vulnerability | ||||
CVE-2018-2952 | Java CPU July 2018 Java SE, Java SE Embedded, JRockit vulnerability | ||||
CVE-2018-2940 CVE-2018-2973 | Java CPU July 2018 Java SE, Java SE Embedded vulnerability | ||||
CVE-2018-2938 CVE-2018-2941 CVE-2018-2942 CVE-2018-2964 | Java CPU July 2018 Java SE vulnerability | ||||
CVE-2017-0861 CVE-2017-15265 CVE-2018-1000004 CVE-2018-10901 | CESA-2018:2390: kernel | ||||
| CVE-2018-5740 | (Multiple Advisories): bind-utils | Fixed starting form 4.2 release | |||
| CVE-2018-10897 | (Multiple Advisories): yum-utils | Fixed starting form 4.2 release | |||
CVE-2018-3139 CVE-2018-3149 CVE-2018-3169 CVE-2018-3180 CVE-2018-3183 CVE-2018-3209 CVE-2018-3211 CVE-2018-3214 CVE-2018-13785 | Java | On 4.2, you can update to jdk-8u191: 1. yum -y update jdk | ntp | The below command will install the latest security update for the installed ntp-related packages yum -y install ntp ntpdate | |
| CVE-2013-4548 | sshd | N/A - SoftNAS versions running openssh 6.3p1 do not include the AES-GCM cipher suites | |||
| CVE-2016-10012 | Upstream will not fix. From Upstream "In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact." | CVE-2019-6133 | Vulnerable – Update version of polkit by running the following command line while logged in via ssh with root privileges. # yum update polkit | ||
| CVE-2018-10902 | Not vulnerable - SoftNAS is not using the CentOS kernel, so this vulnerability does not affect any SoftNAS nodes at 4.0.21 or newer. |
...
Non-CVEs vulnerabilitie
| Vulnerability | Resolution | |
|---|---|---|
| NFS Share User Mountable | Configure NFS on the remote host so that only authorized hosts can mount the remote shares. The remote NFS server should prevent mount requests originating from a non-privileged port. | |
| iSCSI Unauthenticated Target Detection | Configure authentication on the target to restrict access to authorized initiators. | |
| NFS Shares World Readable | Place the appropriate restrictions on all NFS shares. | |
| The "ForceGuest" mode is enabled by default on some installations which aren't joined to a domain and have Simple File Sharing enabled. | Not applicable as we're running a Linux system | |
| The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections. | How to Add/Change Root Certificates | |
| A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is known to respond to as well as the device's MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request, and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of distributed reflected denial of service (DRDoS) attacks. | This is a direct function of the appliance., Can be limited with firewall. | |
| This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure), enabled, and required (most secure). | Any customer may choose to use SMB signing but SoftNAS due to our entire user community can NOT make this default. | |
| Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the 3DES (Triple Data Encryption Standard) algorithm. Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3. ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030. | SoftNAS will address this issue with the 4.2 release on Roadmap for Q4 delivery, but feel free to disable those cipher suites | |
| Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA algorithms are no longer recommended for general use in TLS, and have been removed from TLS version 1.2. | ||
| A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found: * via page spidering (following hyperlinks), or * as part of a parent path (checking each directory along the path and searching for "Directory Listing" or similar strings), or * by brute forcing a list of common directories. Browsable directories could allow an attacker to perform a directory traversal attack by viewing "hidden" files in the web root, including CGI scripts, data files, or backup pages. | All of the important paths are already blocked by SoftNAS. SoftNAS application is unavailable without authentication | |
| HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website. | fixed in SoftNAS 3.5.1 release and later | |
| The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again. Sensitive data and passwords can be stolen if the user's system is compromised. Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit. | type=password does not need special consideration. | |
| The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text. | we're using SSL only cookies ("secure" cookies) so the browser does not send us session tokens via non-SSL link | |
| The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2. | SoftNAS already disabled those protocols. | |
| Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page. | SoftNAS application relies heavily on framing and this is specific type of attack is an odd one to worry about | |
| The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted. | Fixed starting form 4.2 release | |
| The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session. | Starting from SoftNAS 4.2, we are not using Apache anymoreSSH Weak Algorithms Supported arcfour | Those algorithms will be removed in 4.5.0 release, but feel free to disable them manually in SSH config |
| SSL Medium Strength Cipher Suites Supported | Those algorithms will be removed in 4.5.0 release, but feel free to disable them manually in HTTPS config |
Update History
| 09-09-2018 | Initial version of the document created |
| 30-10-2018 | For 4.2 |
| |
...