FreeNAS 11.2-U3 Vulnerabilities

vermaden

Dabbler
Joined
Mar 9, 2019
Messages
16
Hi,

a buddy of mine scanned FreeNAS 11.2-U3 for possible security holes - below are his results.

Do you have any estimate when these holes will be fixed (or packages in FreeNAS updated)?

Vulnerability
Severity


FreeBSD: (Multiple Advisories) (CVE-2016-9063): python 2.7 -- multiple vulnerabilities
Critical

FreeBSD: VID-714B033A-2B09-11E9-8BC3-610FD6E6CD05 (CVE-2019-3822): curl -- multiple vulnerabilities
Critical

FreeBSD: mksh -- TTY attachment privilege escalation (CVE-2008-1845)
Severe

FreeBSD: VID-5A757A31-F98E-4BD4-8A85-F1C0F3409769 (CVE-2018-15120): pango -- remote DoS vulnerability
Severe

FreeBSD: (Multiple Advisories) (CVE-2017-9233): python 2.7 -- multiple vulnerabilities
Severe

FreeBSD: VID-714B033A-2B09-11E9-8BC3-610FD6E6CD05 (CVE-2018-16890): curl -- multiple vulnerabilities
Severe

FreeBSD: VID-714B033A-2B09-11E9-8BC3-610FD6E6CD05 (CVE-2019-3823): curl -- multiple vulnerabilities
Severe

FreeBSD: VID-7DA0417F-6B24-11E8-84CC-002590ACAE31 (CVE-2018-12020): gnupg -- unsanitized output (CVE-2018-12020)
Severe

FreeBSD: VID-8719B935-8BAE-41AD-92BA-3C826F651219 (CVE-2018-1060): python 2.7 -- multiple vulnerabilities
Severe

FreeBSD: VID-8719B935-8BAE-41AD-92BA-3C826F651219 (CVE-2018-1061): python 2.7 -- multiple vulnerabilities
Severe

FreeBSD: VID-8B1A50AB-8A8E-11E8-ADD2-B499BAEBFEAF (CVE-2018-8011): Apache httpd -- multiple vulnerabilities
Severe

FreeBSD: VID-9E2D0DCF-9926-11E8-A92D-0050562A4D7B (CVE-2018-10903): py-cryptography -- tag forgery vulnerability
Severe

FreeBSD: VID-EB888CE5-1F19-11E9-BE05-4C72B94353B5 (CVE-2018-17189): Apache -- vulnerability
Severe

FreeBSD: VID-EB888CE5-1F19-11E9-BE05-4C72B94353B5 (CVE-2018-17199): Apache -- vulnerability
Severe

FreeBSD: VID-EB888CE5-1F19-11E9-BE05-4C72B94353B5 (CVE-2019-0190): Apache -- vulnerability
Severe

FreeBSD: (Multiple Advisories) (CVE-2012-0876): python 2.7 -- multiple vulnerabilities
Severe

FreeBSD: (Multiple Advisories) (CVE-2017-7526): gnupg -- unsanitized output (CVE-2018-12020)
Severe

FreeBSD: VID-50AD9A9A-1E28-11E9-98D7-0050562A4D7B: www/py-requests -- Information disclosure vulnerability
Severe

FreeBSD: VID-7B5A8E3B-52CC-11E8-8C7A-9C5C8E75236A (CVE-2018-0494): wget -- cookie injection vulnerability
Severe

FreeBSD: VID-E182C076-C189-11E8-A6D2-B499BAEBFEAF (CVE-2018-11763): Apache -- Denial of service vulnerability in HTTP/2
Severe

FreeBSD: VID-9B5162DE-6F39-11E8-818E-E8E0B747A45A (CVE-2018-0495): libgcrypt -- side-channel attack vulnerability
Moderate



Thanks.
 
Joined
Jul 3, 2015
Messages
926
In my experience, a lot of 'vulnerability scanners' don't take into account the art of backporting and just scan headers and report back. Therefore I'd be cautious to assume that these are all real vulnerabilities.

It may be more helpful if you could provide the name of the scanning tool that was used.
 

acp

Explorer
Joined
Mar 25, 2013
Messages
71
Well they did make clear that you shouldn't put freenas onto the internet.

I would also submit a bug report.
 
Joined
Jul 3, 2015
Messages
926

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
a buddy of mine scanned FreeNAS 11.2-U3 for possible security holes - below are his results.
It would also be helpful to understand why you are scanning the system. What perceived thread are you expecting / what environment is are you thinking to run the system in. If you were thinking to connect FreeNAS such that it would be exposed to the internet. That is not a good plan..
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
This looks a bit like output from 'pkg audit -F', which indeed outputs a distressing amount of things even on 11.2U3, which is very new.

@Chris Moore , before I decided on adopting FreeNAS, I ran 'pkg audit -F' to get a feel for how on top of security updates the developers are. It could be better. :(

ex: python2 is at 2.7.14. 2.7.15 was released 2018-05-01. That's almost a year now. python2 is only getting conservative/security changes at this point, with python3 being where the action is. I can understand them not wanting to jump major versions, but minor security updates are not applied fast enough for my tastes.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
It would also be helpful to understand why you are scanning the system. What perceived thread are you expecting / what environment is are you thinking to run the system in. If you were thinking to connect FreeNAS such that it would be exposed to the internet. That is not a good plan..
How are people supposed to get updates then, though?
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
How are people supposed to get updates then, though?
Access out through a firewall is how most people download updates, but the FreeNAS should not be directly addressible to the internet, so it is the firewall and router that are guarding the FreeNAS from attack. The local network, I would hope, is relatively safe from attck. Personally, I download the tar file (FreeNAS-11.1-U7-manual-update.tar) to do my updates because I have FreeNAS servers on an air-gaped network where I work that never contact the internet at all.
There is also the fact that some of the vulnerabilities that are pointed out by various scanners are false positives with regard to FreeNAS.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Hmm, I might ask someone to check this out for me, because I know pretty much nothing about networking.
I just have pfSense and FreeNAS running as VMs in ESXi, and that's all I know.
 

acp

Explorer
Joined
Mar 25, 2013
Messages
71
Since FreeNAS is based on FreeBSD we get patched when they get patched. Obviously it is behind. FreeNAS is more of an appliance approach. It is not for everyone. Security is a balance. If your network is compromised, all the security in the world will not save you. This is not to say that vulnerability need not to be patched. They are working to make things better.
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
the FreeNAS should not be directly addressible to the internet

Why not? I guess the topic at hand seems to be answer enough: FreeNAS doesn't get security updates very quickly. But I wonder if you have a different reason?

The local network, I would hope, is relatively safe from attck.

In a home setting maybe, but in a company or school? No, you don't fully trust all your employees/students.

Besides: defense in depth.

There is also the fact that some of the vulnerabilities that are pointed out by various scanners are false positives with regard to FreeNAS.

No doubt, but how can a FreeNAS admin determine that?

For sure some updates can break things, but some are pretty conservative. Newest FreeNAS has Python 2.7.14 (from 2017-09-16), current is 2.7.15 (from 2018-05-01). Python2 is in maintenance mode, changes to it are conservative and/or important. Shouldn't a year be enough time to get to 2.7.15?
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
But I wonder if you have a different reason?
Because it's not a hardened installation. It's meant to function as a file server on a secured LAN.
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,827
I'd suggest that if you don't trust your LAN, then it's time to install something between the FreeNAS and the LAN to limit the traffic that reaches it.

For example, a quality switch that limits the authorized users via VLAN or similar means. On top of that, you might filter out packets from any protocol other than the ones you want to allow. I'd also consider installing a honeypot at that point with an IDS using a Raspberry Pi or something similar. Have it record what's going on before disabling power to the switch. No switch = air gap.
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
Listen, where I work, I have to apply DISA (Defense Information Systems Agency) STIG (Security Technical Implementation Guides) settings to systems in an effort to ensure they are as secure as we know how to make them. Systems that are not able to be secure get put on special networks. The way to handle FreeNAS is to put it on a special "Storage Network" that regular users can't access. I suppose that you might, with enough knowledge of FreeBSD and enough time to tinker with FreeNAS, I suppose it is possible that you could build your own, custom, secured version of FreeNAS, but you would need to do that again every time they release an update or you would need to freeze on the version you are on.
Like I said, at work, the FreeNAS systems I use are on an air-gap network and the only people that have access to that network do so from workstations that I have applied STIG settings to and they all have had background checks run on them for security clearances and they know that their activities are being monitored, and they do it from inside a secure room inside a secure facility with multiple, increasingly arduous layers of physical security. If you are going to go secure, go all in. I also make a point of going to some of them in the middle of the day and asking them about the file activity I noticed on the server because that reinforces the idea in their mind that 'Big Brother' watching.
FreeNAS is not secure, either work with that, or use RedHat (RHEL) with ZFS on Linux (ZoP) and apply all the security you want. That is what was being used at my work before I switched them over to FreeNAS. FreeNAS is faster, if you are curious and we had a need for speed in the processing we do. I did side by side testing before I fully switched over. If you secure Linux enough, nobody can even login to it.
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
iX has no intention of hardiningin FreeNAS. If you don't like it, roll your own. I plan to.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I won't speak for things outside my area of responsibility. We are careful to make sure that vulnerabilities in critical services (such as Samba) are addressed promptly. For instance, we had a security release for that horrific netatalk bug on the day that the embargo was lifted. In the 11.1 branch we were backporting security fixes and applying to Samba 4.7.0, about midway through the release we rebased on 4.7.6 (but kept the 4.7.0 version name). In 11.2 going forwards things will be clearer to end-users. We are following upstream samba precisely (with our customizations as patch files applied to the release). 11.2 is based on Samba 4.9, 11.3 will be based on Samba 4.10.
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,827
iX has no intention of hardiningin FreeNAS. If you don't like it, roll your own. I plan to.
I'm glad you have that level of expertise! I'd never trust myself to get it all right.
I like Chris' example of a air-gapped network with reminders that big brother is watching. However, as Ms. Manning demonstrated, even air-gapped networks can be vulnerable if the folks entering and leaving the facility aren't consistently strip-searched / x-rayed. o_O
 

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
I like Chris' example of a air-gapped network with reminders that big brother is watching. However, as Ms. Manning demonstrated, even air-gapped networks can be vulnerable if the folks entering and leaving the facility aren't consistently strip-searched / x-rayed. o_O
Not saying that a bad-actor could not bypass some security and do something they are not supposed to do. Generally speaking, in our facility, USB drives are forbidden and you need special permission to use one. The HBSS (Host Based Security System) software we use is configured to allow reading from a USB drive because we receive data that way frequently, but to write data to a drive, the computer, and the user and the specific drive (by serial number) all need to have rights in the HBSS or they will not be able to write. We do, on rare occasions, need to 'sneaker net' data from one secure enclave to another, only up, never down. We do our best, but if someone is intentionally trying to break the rules, there are ways that data might be taken out, but the person would need to have a high clearance and malicious intent. For example, you can't legitimately take a drive out of the secure facility once it goes in. You might sneak it out because they don't do a strip search, and that is what Manning did.
I don't know if there will ever be a complete cure for people that lie, cheat and steal.
 

kdragon75

Wizard
Joined
Aug 7, 2016
Messages
2,457
I won't speak for things outside my area of responsibility. We are careful to make sure that vulnerabilities in critical services (such as Samba) are addressed promptly. For instance, we had a security release for that horrific netatalk bug on the day that the embargo was lifted. In the 11.1 branch we were backporting security fixes and applying to Samba 4.7.0, about midway through the release we rebased on 4.7.6 (but kept the 4.7.0 version name). In 11.2 going forwards things will be clearer to end-users. We are following upstream samba precisely (with our customizations as patch files applied to the release). 11.2 is based on Samba 4.9, 11.3 will be based on Samba 4.10.
I don't mean to say iX has no consideration for security, just no intention of hardening to the point that many people would like. For example, there is not built in firewall. The webUI defaults to HTTP and not HTTPS, EVERYTHING running as root. While I understand some of this falls back to the user to implement and work around, there are a number of things that could be better.

On a side note, never trust a corporate LAN. You never know who plug what in where and left a tunnel open to who knows what network. No to mention BYOD environments. Jim brings in his laptop with crypto on a time delay... oops, Jans laptop is borked too now.

Side note: Everything running as root isn't even as bad as making people type the root password on their client machines... That coupled with the prevalence of leaving SSH running and accepting root logins with password only...
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
All good points. Still, it seems to me like a 2 week old release of FreeNAS could do better than a >1 year old version of apache & python2.7.
 
Top