As one of the standard practices, organizations choose to protect their systems form known security vulnerabilities by running security scanners.
Security scanners are available from multiple vendors, many of which base their assessments of the CVEs (Common Vulnerabilities and Exposures) published by MITRE Corporation.
Raw CVE entries from MITRE are generic and need to be subsequently implemented by the vendor to address the vulnerability.
SoftNAS appliance is based on CentOS 6.10 release, which in turn is based on the RedHat Enterprise Linux 6.10 distribution.
Hence in order to understand how a particular CVE is addressed, we check them against the RedHat's Erratum site.
Below we have assembled a list of CVEs and SoftNAS responses that our customers have brought to our attention as the result of running a security scanner.
|Vulnerability CVE IDs||Vulnerability Title||Resolution|
|CVE-2017-9798||Apache HTTPD: Use-after-free when using <Limit > with an unrecognized method in .htaccess (OptionsBleed)|
Starting from SoftNAS 4.2, we are not using Apache anymore
|CVE-2017-9788||Apache HTTPD: Uninitialized memory reflection in mod_auth_digest|
|CVE-2017-7679||Apache HTTPD: mod_mime Buffer Overread|
|CVE-2017-3169||Apache HTTPD: mod_ssl Null Pointer Dereference|
|CVE-2017-3167||Apache HTTPD: ap_get_basic_auth_pw (Authentication Bypass)|
|CVE-2016-8743||Apache HTTPD: Apache HTTP Request Parsing Whitespace Defects|
|CVE-2016-5387||Apache HTTPD: HTTP_PROXY environment variable "httpoxy" mitigation|
|CVE-2015-3183||Apache HTTPD: HTTP request smuggling attack against chunked request parser|
|CVE-2014-0231||Apache HTTPD: mod_cgid denial of service|
|CVE-2014-0226||Apache HTTPD: mod_status buffer overflow|
|CVE-2014-0118||Apache HTTPD: mod_deflate denial of service|
|CVE-2014-0098||Apache HTTPD: mod_log_config crash|
|CVE-2013-6438||Apache HTTPD: mod_dav crash|
|CVE-2013-5704||Apache HTTPD: HTTP Trailers processing bypass|
|CVE-2013-1896||Apache HTTPD: mod_dav crash|
|CVE-2013-1862||Apache HTTPD: mod_rewrite log escape filtering|
|CVE-2012-4558||Apache HTTPD: XSS in mod_proxy_balancer|
|CVE-2012-4557||Apache HTTPD: mod_proxy_ajp remote DoS|
|CVE-2012-3499||Apache HTTPD: XSS due to unescaped hostnames|
|CVE-2012-2687||Apache HTTPD: XSS in mod_negotiation when untrusted uploads are supported|
|CVE-2012-0883||Apache HTTPD: insecure LD_LIBRARY_PATH handling|
|CVE-2012-0053||Apache HTTPD: error responses can expose cookies|
|CVE-2012-0031||Apache HTTPD: scoreboard parent DoS|
|CVE-2011-4317||Apache HTTPD: mod_proxy reverse proxy exposure|
|CVE-2011-3607||Apache HTTPD: mod_setenvif .htaccess privilege escalation|
|CVE-2011-3368||Apache HTTPD: mod_proxy reverse proxy exposure|
|CVE-2011-3348||Apache HTTPD: mod_proxy_ajp remote DoS|
|CVE-2011-0419||Apache HTTPD: apr_fnmatch flaw leads to mod_autoindex remote DoS|
|CVE-2010-1623||Apache HTTPD: apr_bridage_split_line DoS|
|CVE-2009-3720||Apache HTTPD: expat DoS|
|CVE-2009-3560||Apache HTTPD: expat DoS|
Apache HTTPD: mod_userdir CRLF injection
|CVE-2010-1452||Apache HTTPD: mod_cache and mod_dav DoS|
|CVE-2010-0386,CVE-2009-2823,CVE-2008-7253,CVE-2007-3008,CVE-2006-4683,CVE-2005-3398,CVE-2004-2763,CVE-2004-2320||Apache HTTP TRACE Method Enabled|
|CVE-2013-2566||TLS/SSL Server Supports RC4 Cipher Algorithms||Fixed starting form 4.2 release|
|CVE-2011-3389||TLS/SSL Server is enabling the BEAST attack||SoftNAS has these protocols disabled|
|CVE-2016-2183||TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)||Fixed starting form 4.2 release|
|CVE-2003-1418||Apache HTTPD: ETag Inode Information Leakage||Starting from SoftNAS 4.2, we are not using Apache anymore|
|CVE-2000-1200||Anonymous users can obtain the Windows password policy||SoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.|
|CVE-1999-0625||Sensitive RPC 'rquotad' Service is Enabled||SoftNAS provides rquotad service by default. Access to the service should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.|
|CVE-1999-0524||ICMP timestamp response||SoftNAS appliance responds to ping, ICMP. ICMP protocol, however, should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.|
|CVE-1999-0519||CIFS NULL Session Permitted||SoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.|
Java CPU April 2018 Java SE, Java SE Embedded, JRockit vulnerability
We updated to jdk1.8-1.8.0_181 starting from SoftNAS 4.2
Java CPU April 2018 Java SE, Java SE Embedded vulnerability
Java CPU April 2018 Java SE, JRockit vulnerability
Java CPU April 2018 Java SE vulnerability
Java CPU January 2018 Java SE, Java SE Embedded, JRockit vulnerability
Java CPU January 2018 Java SE, Java SE Embedded vulnerability
Java CPU January 2018 Java SE vulnerability
Java CPU July 2018 Java SE, Java SE Embedded, JRockit vulnerability
Java CPU July 2018 Java SE, Java SE Embedded vulnerability
Java CPU July 2018 Java SE vulnerability
(Multiple Advisories): kernel
All not applicable. However, fixed in 4.2 release
|CVE-2018-5740||(Multiple Advisories): bind-utils||Fixed starting form 4.2 release|
|CVE-2018-10897||(Multiple Advisories): yum-utils||Fixed starting form 4.2 release|
On 4.2, you can update to jdk-8u191:
1. yum -y update jdk
The below command will install the latest security update for the installed ntp-related packages
yum -y install ntp ntpdate
|CVE-2013-4548||sshd||N/A - SoftNAS versions running openssh 6.3p1 do not include the AES-GCM cipher suites|
Upstream will not fix. From Upstream
"In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact."
Vulnerable – Update version of polkit by running the following command line while logged in via ssh with root privileges.
# yum update polkit
|CVE-2018-10902||Not vulnerable - SoftNAS is not using the CentOS kernel, so this vulnerability does not affect any SoftNAS nodes at 4.0.21 or newer.|
|The "ForceGuest" mode is enabled by default on some installations which aren't joined to a domain and have Simple File Sharing enabled.||Not applicable as we're running a Linux system|
|The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.||How to Add/Change Root Certificates|
|A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is known to respond to as well as the device's MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request, and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of distributed reflected denial of service (DRDoS) attacks.||This is a direct function of the appliance., Can be limited with firewall.|
|This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure), enabled, and required (most secure).||Any customer may choose to use SMB signing but SoftNAS due to our entire user community can NOT make this default.|
|Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the 3DES (Triple Data Encryption Standard) algorithm. Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3. ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.||SoftNAS will address this issue with the 4.2 release on Roadmap for Q4 delivery, but feel free to disable those cipher suites|
|Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA algorithms are no longer recommended for general use in TLS, and have been removed from TLS version 1.2.|
|A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found: |
* via page spidering (following hyperlinks), or
* as part of a parent path (checking each directory along the path and searching for "Directory Listing" or similar strings), or
* by brute forcing a list of common directories.
Browsable directories could allow an attacker to perform a directory traversal attack by viewing "hidden" files in the web root, including CGI scripts, data files, or backup pages.
|All of the important paths are already blocked by SoftNAS. SoftNAS application is unavailable without authentication|
|HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.||fixed in SoftNAS 3.5.1 release and later|
|The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again.|
Sensitive data and passwords can be stolen if the user's system is compromised.
Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit.
|type=password does not need special consideration.|
|The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.||we're using SSL only cookies ("secure" cookies) so the browser does not send us session tokens via non-SSL link|
|The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.||SoftNAS already disabled those protocols.|
|Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.||SoftNAS application relies heavily on framing and this is specific type of attack is an odd one to worry about|
|The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.||Fixed starting form 4.2 release|
|The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session.||Starting from SoftNAS 4.2, we are not using Apache anymore|
|09-09-2018||Initial version of the document created|