Responding to the results of a security scan

Purpose


As one of the standard practices, organizations choose to protect their systems form known security vulnerabilities by running security scanners.

Security scanners are available from multiple vendors, many of which base their assessments of the CVEs  (Common Vulnerabilities and Exposures) published by MITRE Corporation.

Raw CVE entries from MITRE are generic and need to be subsequently implemented by the vendor to address the vulnerability.

SoftNAS appliance is based on CentOS 6.10 release, which in turn is based on the RedHat Enterprise Linux 6.10 distribution.

Hence in order to understand how a particular CVE is addressed, we check them against the RedHat's Erratum site.

Below we have assembled a list of CVEs and SoftNAS responses that our customers have brought to our attention as the result of running a security scanner.


If you are planning to run a security scan, please Make sure you are on the latest appliance release and your security scan database is up to date, also keep in mind security scans always shows a lot of false-positives as several security scans just display the possible vulnerabilities based on the OS version without checking the package versions and if that version mitigated that vulnerability or not.




Resolution


Vulnerability CVE IDsVulnerability TitleResolution

CVE-1999-0170

CVE-1999-0211

CVE-1999-0554

NFS Exported Share Information DisclosureConfigure NFS on the remote host so that only authorized hosts can mount its remote shares.
CVE-2018-1160Netatalk OpenSession Remote Code Execution

Its ia an obselete protocol, you may disable is using the below commands:

 sed -i 's/^\(service netatalk restart\)/#\1/g'  /var/www/softnas/scripts/start-nasservices.sh
chkconfig  netatalk off


CVE-1999-0520

CVE-1999-0519

Microsoft Windows SMB Shares Unprivileged AccessTo restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on 'permissions'.
CVE-2011-3389TLS/SSL Server is enabling the BEAST attackSoftNAS has these protocols disabled
CVE-2000-1200Anonymous users can obtain the Windows password policySoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-1999-0625Sensitive RPC 'rquotad' Service is EnabledSoftNAS provides rquotad service by default. Access to the service should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-1999-0524ICMP timestamp responseSoftNAS appliance responds to ping, ICMP. ICMP protocol, however, should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-1999-0519CIFS NULL Session PermittedSoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-2018-12327ntp

The below command will install the latest security update for the installed ntp-related packages

yum -y install ntp ntpdate

CVE-2013-4548sshd N/A - SoftNAS versions running openssh 6.3p1 do not include the AES-GCM cipher suites
CVE-2016-10012

Upstream will not fix. From Upstream

"In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact."

CVE-2018-10902
Not vulnerable - SoftNAS is not using the CentOS kernel, so this vulnerability does not affect any SoftNAS nodes at 4.0.21 or newer.


Non-CVEs vulnerabilitie

VulnerabilityResolution
NFS Share User MountableConfigure NFS on the remote host so that only authorized hosts can mount the remote shares. The remote NFS server should prevent mount requests originating from a non-privileged port.
iSCSI Unauthenticated Target DetectionConfigure authentication on the target to restrict access to authorized initiators.
NFS Shares World ReadablePlace the appropriate restrictions on all NFS shares.
The "ForceGuest" mode is enabled by default on some installations which aren't joined to a domain and have Simple File Sharing enabled.Not applicable as we're running a Linux system
The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.How to Add/Change Root Certificates
A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is known to respond to as well as the device's MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request, and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of distributed reflected denial of service (DRDoS) attacks.This is a direct function of the appliance., Can be limited with firewall.
This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure), enabled, and required (most secure).Any customer  may choose to use SMB signing but SoftNAS due to our entire user community can NOT make this default.  
Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the 3DES (Triple Data Encryption Standard) algorithm. Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3. ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.SoftNAS will address this issue with the 4.2 release on Roadmap for Q4 delivery, but feel free to disable those cipher suites
Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA algorithms are no longer recommended for general use in TLS, and have been removed from TLS version 1.2.
A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found:

 * via page spidering (following hyperlinks), or

 * as part of a parent path (checking each directory along the path and searching for "Directory Listing" or similar strings), or

 * by brute forcing a list of common directories.

 Browsable directories could allow an attacker to perform a directory traversal attack by viewing "hidden" files in the web root, including CGI scripts, data files, or backup pages.
All of the important paths are already blocked by SoftNAS. SoftNAS application is unavailable without authentication
The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again.

Sensitive data and passwords can be stolen if the user's system is compromised.

Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit.
type=password does not need special consideration.
The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.we're using SSL only cookies ("secure" cookies) so the browser does not send us session tokens via non-SSL link
The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.SoftNAS already disabled those protocols.
Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.SoftNAS application relies heavily on framing and this is specific type of attack is an odd one to worry about

SSH Weak Algorithms Supported

arcfour
arcfour128
arcfour256

Those algorithms will be removed in 4.5.0 release, but feel free to disable them manually in SSH config
SSL Medium Strength Cipher Suites Supported Those algorithms will be removed in 4.5.0 release, but feel free to disable them manually in HTTPS config



Update History


09-09-2018Initial version of the document created
 30-10-2018 For 4.2