- TrueNAS recommends hardening systems to mitigate risks
- Pwn2Own showcases diverse attack vectors on NAS systems
- Cybersecurity teams earn over $1 million by finding in exploits
At the recent Pwn2Own Ireland 2024 event, security researchers identified vulnerabilities in various high-use devices, including network-attached storage NAS devices, cameras, and other connected products.
TrueNAS was one of the companies whose products were successfully targeted during the event, with vulnerabilities found in its products with default, non-hardened configurations.
Following the competition, TrueNAS have started implementing updates to secure their products against these newly discovered vulnerabilities.
Security gaps across multiple devices
During the competition, multiple teams successfully exploited TrueNAS Mini X devices, demonstrating the potential for attackers to leverage interconnected vulnerabilities between different network devices. Notably, the Viettel Cyber Security team earned $50,000 and 10 Master of Pwn points by chaining SQL injection and authentication bypass vulnerabilities from a QNAP router to the TrueNAS device.
Furthermore, the Computest Sector 7 team also executed a successful attack by exploiting both a QNAP router and a TrueNAS Mini X using four vulnerabilities. The types of vulnerabilities included command injection, SQL injection, authentication bypass, improper certificate validation, and hardcoded cryptographic keys.
TrueNAS responded to the results by releasing an advisory for its users, acknowledging the vulnerabilities and emphasizing the importance of following security recommendations to protect data storage systems against potential exploits.
By adhering to these guidelines, users can increase their defences, making it harder for attackers to leverage known vulnerabilities.
TrueNAS informed customers that the vulnerabilities affected default, non-hardened installations, meaning that users who follow recommended security practices are already at a reduced risk.
TrueNAS has advised all users to review its security guidance and implement best practices, which can significantly minimize exposure to potential threats until the patches are fully rolled out.
Via SecurityWeek
