Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Below we have assembled a list of CVEs and SoftNAS responses that our customers have brought to our attention as the result of running a security scanner.


Resolution


Vulnerability CVE IDsVulnerability TitleResolution
CVE-2017-9798Apache HTTPD: Use-after-free when using <Limit > with an unrecognized method in .htaccess (OptionsBleed) 

Starting from SoftNAS 4.2, we are not using Apache anymore

CVE-2017-9788Apache HTTPD: Uninitialized memory reflection in mod_auth_digest 
CVE-2017-7679Apache HTTPD: mod_mime Buffer Overread 
CVE-2017-3169Apache HTTPD: mod_ssl Null Pointer Dereference 
CVE-2017-3167Apache HTTPD: ap_get_basic_auth_pw (Authentication Bypass)
CVE-2016-8743Apache HTTPD: Apache HTTP Request Parsing Whitespace Defects 
CVE-2016-5387Apache HTTPD: HTTP_PROXY environment variable "httpoxy" mitigation 
CVE-2015-3183Apache HTTPD: HTTP request smuggling attack against chunked request parser 
CVE-2014-0231Apache HTTPD: mod_cgid denial of service 
CVE-2014-0226Apache HTTPD: mod_status buffer overflow 
CVE-2014-0118Apache HTTPD: mod_deflate denial of service 
CVE-2014-0098Apache HTTPD: mod_log_config crash 
CVE-2013-6438Apache HTTPD: mod_dav crash 
CVE-2013-5704Apache HTTPD: HTTP Trailers processing bypass 
CVE-2013-1896Apache HTTPD: mod_dav crash 
CVE-2013-1862Apache HTTPD: mod_rewrite log escape filtering 
CVE-2012-4558Apache HTTPD: XSS in mod_proxy_balancer 
CVE-2012-4557Apache HTTPD: mod_proxy_ajp remote DoS 
CVE-2012-3499Apache HTTPD: XSS due to unescaped hostnames 
CVE-2012-2687Apache HTTPD: XSS in mod_negotiation when untrusted uploads are supported 
CVE-2012-0883Apache HTTPD: insecure LD_LIBRARY_PATH handling 
CVE-2012-0053Apache HTTPD: error responses can expose cookies 
CVE-2012-0031Apache HTTPD: scoreboard parent DoS 
CVE-2011-4317Apache HTTPD: mod_proxy reverse proxy exposure  
CVE-2011-3607Apache HTTPD: mod_setenvif .htaccess privilege escalation 
CVE-2011-3368Apache HTTPD: mod_proxy reverse proxy exposure 
CVE-2011-3348Apache HTTPD: mod_proxy_ajp remote DoS 
CVE-2011-0419Apache HTTPD: apr_fnmatch flaw leads to mod_autoindex remote DoS 
CVE-2010-1623Apache HTTPD: apr_bridage_split_line DoS 
CVE-2009-3720Apache HTTPD: expat DoS 
CVE-2009-3560Apache HTTPD: expat DoS 

CVE-2016-4975

Apache HTTPD: mod_userdir CRLF injection

CVE-2010-1452Apache HTTPD: mod_cache and mod_dav DoS 
CVE-2010-0386,CVE-2009-2823,CVE-2008-7253,CVE-2007-3008,CVE-2006-4683,CVE-2005-3398,CVE-2004-2763,CVE-2004-2320Apache HTTP TRACE Method Enabled
CVE-2013-2566TLS/SSL Server Supports RC4 Cipher Algorithms Fixed starting form 4.2 release
CVE-2011-3389TLS/SSL Server is enabling the BEAST attackSoftNAS has these protocols disabled
CVE-2016-2183TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)Fixed starting form 4.2 release
CVE-2003-1418Apache HTTPD: ETag Inode Information Leakage Starting from SoftNAS 4.2, we are not using Apache anymore
CVE-2000-1200Anonymous users can obtain the Windows password policySoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-1999-0625Sensitive RPC 'rquotad' Service is EnabledSoftNAS provides rquotad service by default. Access to the service should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-1999-0524ICMP timestamp responseSoftNAS appliance responds to ping, ICMP. ICMP protocol, however, should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.
CVE-1999-0519CIFS NULL Session PermittedSoftNAS is designed to allow anonymous access by default. SMB protocol, however, the SoftNAS appliance should be firewalled from the public internet and access to it allowed only from the internal subnets that need access.

CVE-2018-278

CVE-2018-2795

CVE-2018-2796

CVE-2018-2797

CVE-2018-2798

CVE-2018-2799

CVE-2018-2815


Java CPU April 2018 Java SE, Java SE Embedded, JRockit vulnerability


We updated to jdk1.8-1.8.0_181 starting from SoftNAS 4.2














CVE-2018-2790

CVE-2018-2814


Java CPU April 2018 Java SE, Java SE Embedded vulnerability

CVE-2018-2794

CVE-2018-2800

Java CPU April 2018 Java SE, JRockit vulnerability

CVE-2018-2811

Java CPU April 2018 Java SE vulnerability

CVE-2018-2579

CVE-2018-2588

CVE-2018-2599

CVE-2018-2603

CVE-2018-2618

CVE-2018-2633

CVE-2018-2637

CVE-2018-2663

CVE-2018-2678

CVE-2018-2629

Java CPU January 2018 Java SE, Java SE Embedded, JRockit vulnerability

CVE-2018-2582

CVE-2018-2602

CVE-2018-2634

CVE-2018-2641

CVE-2018-2677

Java CPU January 2018 Java SE, Java SE Embedded vulnerability

CVE-2018-2581

CVE-2018-2627

CVE-2018-2638

CVE-2018-2639

Java CPU January 2018 Java SE vulnerability

CVE-2018-2952

Java CPU July 2018 Java SE, Java SE Embedded, JRockit vulnerability

CVE-2018-2940

CVE-2018-2973

Java CPU July 2018 Java SE, Java SE Embedded vulnerability

CVE-2018-2938

CVE-2018-2941

CVE-2018-2942

CVE-2018-2964

Java CPU July 2018 Java SE vulnerability

CVE-2018-3620

CVE-2018-3646

CVE-2018-3693

CVE-2018-7566



(Multiple Advisories): kernel

All not applicable. However, fixed in 4.2 release



CVE-2017-0861

CVE-2017-15265

CVE-2018-1000004

CVE-2018-10901

 CESA-2018:2390: kernel

CVE-2018-5740(Multiple Advisories): bind-utilsFixed starting form 4.2 release
CVE-2018-10897(Multiple Advisories): yum-utilsFixed starting form 4.2 release

CVE-2018-3139

CVE-2018-3149

CVE-2018-3169

CVE-2018-3180

CVE-2018-3183

CVE-2018-3209

CVE-2018-3211

CVE-2018-3214

CVE-2018-13785

Java

On 4.2, you can update to jdk-8u191:


1. yum -y update jdk
2. reboot

CVE-2018-12327ntp

The below command will install the latest security update for the installed ntp-related packages

yum -y install ntp ntpdate

CVE-2013-4548sshd N/A - SoftNAS versions running openssh 6.3p1 do not include the AES-GCM cipher suites
CVE-2016-10012

Upstream will not fix. From Upstream

"In order to exploit this flaw, the attacker needs to first compromise the sandboxed privilege-separation process by using another security flaw. Because of this restriction for successful exploitation, this issue has been rated as having Low security impact."

CVE-2019-6133

Vulnerable – Update version of polkit by running the following command line while logged in via ssh with root privileges.

# yum update polkit

CVE-2018-10902
Not vulnerable - SoftNAS is not using the CentOS kernel, so this vulnerability does not affect any SoftNAS nodes at 4.0.21 or newer.


Non-CVEs vulnerabilitie

VulnerabilityResolution
The "ForceGuest" mode is enabled by default on some installations which aren't joined to a domain and have Simple File Sharing enabled.Not applicable as we're running a Linux system
The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.How to Add/Change Root Certificates
A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is known to respond to as well as the device's MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request, and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of distributed reflected denial of service (DRDoS) attacks.This is a direct function of the appliance., Can be limited with firewall.
This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure), enabled, and required (most secure).Any customer  may choose to use SMB signing but SoftNAS due to our entire user community can NOT make this default.  
Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the 3DES (Triple Data Encryption Standard) algorithm. Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3. ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.SoftNAS will address this issue with the 4.2 release on Roadmap for Q4 delivery, but feel free to disable those cipher suites
Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA algorithms are no longer recommended for general use in TLS, and have been removed from TLS version 1.2.
A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found:

 * via page spidering (following hyperlinks), or

 * as part of a parent path (checking each directory along the path and searching for "Directory Listing" or similar strings), or

 * by brute forcing a list of common directories.

 Browsable directories could allow an attacker to perform a directory traversal attack by viewing "hidden" files in the web root, including CGI scripts, data files, or backup pages.
All of the important paths are already blocked by SoftNAS. SoftNAS application is unavailable without authentication
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.fixed in SoftNAS 3.5.1 release and later
The Web form contains passwords or other sensitive text fields for which the browser auto-complete feature is enabled. Auto-complete stores completed form field and passwords locally in the browser, so that these fields are filled automatically when the user visits the site again.

Sensitive data and passwords can be stolen if the user's system is compromised.

Note, however, that form auto-complete is a non-standard, browser-side feature that each browser handles differently. Opera, for example, disregards the feature, requiring the user to enter credentials for each Web site visit.
type=password does not need special consideration.
The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.we're using SSL only cookies ("secure" cookies) so the browser does not send us session tokens via non-SSL link
The PCI (Payment Card Industry) Data Security Standard requires a minimum of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard requires a minimum of TLS v1.1 and recommends TLS v1.2.SoftNAS already disabled those protocols.
Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.SoftNAS application relies heavily on framing and this is specific type of attack is an odd one to worry about
The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.Fixed starting form 4.2 release
The server is using a common or default prime number as a parameter during the Diffie-Hellman key exchange. This makes the secure session vulnerable to a precomputation attack. An attacker can spend a significant amount of time to generate a lookup/rainbow table for a particular prime number. This lookup table can then be used to obtain the shared secret for the handshake and decrypt the session.Starting from SoftNAS 4.2, we are not using Apache anymore



Update History


09-09-2018Initial version of the document created
 30-10-2018 For 4.2