FreeNAS 11.2-U3 Vulnerabilities

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
actually I did the same audit a few weeks ago via nmap.
esxi system, with freenas (11.1), pfsense, debian and windows. apart from a suspicious open port 6xxx in freenas* I did not find much. PFsense with installed pfblockerng had more issues. mainly with an insecure DH algorithm.

this got addressed and will be fixed with the next release.

would be good to know more about your findings and how the "audit" was made.
all of the findings above looks for me like the scan was done on the system itself, not like in real world, where you need to find the open port & the volun. to get access.


hardening done from myself in tunetable:
Code:
Variable freenas.services.smb.config.server_min_protocol
Value SMB3_10
Type sysctl 


under Services / SMB should "Allow Empty Password" be deactivated, same for NTLMv1
Since I am only using windows 10 as clients, I deactivated NetBios
-> "Auxiliary Parameters"
disable netbios = yes
smb ports = 445
smb encrypt = mandatory


*this strange open port is called HA and got addressed as a bug (#28031) behind this open port you will find an NGINX http server with phython.
The "bug" got rejected by ix.
link to redmine
 
Last edited:

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
All good points. Still, it seems to me like a 2 week old release of FreeNAS could do better than a >1 year old version of apache & python2.7.
You could submit a feature request on the ticket tracking site.
 

vermaden

Dabbler
Joined
Mar 9, 2019
Messages
16
Here is current output from pkg audit -F command so I doubt that the vulnerabilities from the first post are 'false-positives'.

My question is WHY FreeNAS uses SO OUTDATED packages with security holes? The FreeNAS team just needs to do pkg upgrade ... and eventually fix minor issues after update.

As I downloaded 11.2-U3 I expected it to fix most (if not all) security holes that were present in 11.2-U2.

What is the point of having packages old that much?



Code:
# pkg audit -F
vulnxml file up-to-date

apache24-2.4.33 is vulnerable:
Apache -- vulnerability
CVE: CVE-2019-0190
CVE: CVE-2018-17189
CVE: CVE-2018-17199
WWW: https://vuxml.FreeBSD.org/freebsd/eb888ce5-1f19-11e9-be05-4c72b94353b5.html
 
apache24-2.4.33 is vulnerable:
Apache -- Denial of service vulnerability in HTTP/2
CVE: CVE-2018-11763
WWW: https://vuxml.FreeBSD.org/freebsd/e182c076-c189-11e8-a6d2-b499baebfeaf.html
 
apache24-2.4.33 is vulnerable:
Apache httpd -- multiple vulnerabilities
CVE: CVE-2018-8011
CVE: CVE-2018-1333
WWW: https://vuxml.FreeBSD.org/freebsd/8b1a50ab-8a8e-11e8-add2-b499baebfeaf.html
 
apache24-2.4.33 is vulnerable:
Apache -- Multiple vulnerabilities
CVE: CVE-2019-0220
CVE: CVE-2019-0196
CVE: CVE-2019-0215
CVE: CVE-2019-0217
CVE: CVE-2019-0211
WWW: https://vuxml.FreeBSD.org/freebsd/cf2105c6-551b-11e9-b95c-b499baebfeaf.html
 
python27-2.7.14_1 is vulnerable:
python 2.7 -- multiple vulnerabilities
CVE: CVE-2018-1061
CVE: CVE-2018-1060
CVE: CVE-2017-9233
CVE: CVE-2016-9063
CVE: CVE-2016-4472
CVE: CVE-2016-0718
CVE: CVE-2012-0876
WWW: https://vuxml.FreeBSD.org/freebsd/8719b935-8bae-41ad-92ba-3c826f651219.html
 
python27-2.7.14_1 is vulnerable:
Python -- NULL pointer dereference vulnerability
CVE: CVE-2019-5010
WWW: https://vuxml.FreeBSD.org/freebsd/d74371d2-4fee-11e9-a5cd-1df8a848de3d.html
 
curl-7.62.0 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-3823
CVE: CVE-2019-3822
CVE: CVE-2018-16890
WWW: https://vuxml.FreeBSD.org/freebsd/714b033a-2b09-11e9-8bc3-610fd6e6cd05.html
 
libgcrypt-1.8.2 is vulnerable:
libgcrypt -- side-channel attack vulnerability
CVE: CVE-2018-0495
WWW: https://vuxml.FreeBSD.org/freebsd/9b5162de-6f39-11e8-818e-e8e0b747a45a.html
 
python36-3.6.5_1 is vulnerable:
Python -- NULL pointer dereference vulnerability
CVE: CVE-2019-5010
WWW: https://vuxml.FreeBSD.org/freebsd/d74371d2-4fee-11e9-a5cd-1df8a848de3d.html
 
pango-1.42.0 is vulnerable:
pango -- remote DoS vulnerability
CVE: CVE-2018-15120
WWW: https://vuxml.FreeBSD.org/freebsd/5a757a31-f98e-4bd4-8a85-f1c0f3409769.html

py36-requests-2.18.4 is vulnerable:
www/py-requests -- Information disclosure vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html
 
libnghttp2-1.31.0 is vulnerable:
nghttp2 -- Denial of service due to NULL pointer dereference
CVE: CVE-2018-1000168
WWW: https://vuxml.FreeBSD.org/freebsd/1fccb25e-8451-438c-a2b9-6a021e4d7a31.html
 
gnupg-2.2.6 is vulnerable:
gnupg -- unsanitized output (CVE-2018-12020)
CVE: CVE-2017-7526
CVE: CVE-2018-12020
WWW: https://vuxml.FreeBSD.org/freebsd/7da0417f-6b24-11e8-84cc-002590acae31.html
 
py36-cryptography-2.1.4 is vulnerable:
py-cryptography -- tag forgery vulnerability
CVE: CVE-2018-10903
WWW: https://vuxml.FreeBSD.org/freebsd/9e2d0dcf-9926-11e8-a92d-0050562a4d7b.html
 
perl5-5.26.1 is vulnerable:
perl -- multiple vulnerabilities
CVE: CVE-2018-6913
CVE: CVE-2018-6798
CVE: CVE-2018-6797
WWW: https://vuxml.FreeBSD.org/freebsd/41c96ffd-29a6-4dcc-9a88-65f5038fa6eb.html
 
wget-1.19.4_2 is vulnerable:
wget -- cookie injection vulnerability
CVE: CVE-2018-0494
WWW: https://vuxml.FreeBSD.org/freebsd/7b5a8e3b-52cc-11e8-8c7a-9c5c8e75236a.html
 
git-lite-2.17.0 is vulnerable:
Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)
CVE: CVE-2018-11235
CVE: CVE-2018-11233
WWW: https://vuxml.FreeBSD.org/freebsd/c7a135f4-66a4-11e8-9e63-3085a9a47796.html

13 problem(s) in the installed packages found.
 

rungekutta

Contributor
Joined
May 11, 2016
Messages
146
Feels like we’re making things up as we go along here to fit the narrative. If iX had a deliberate strategy to be lax about security for the sake of other things (what would those be?) then at best they are inconsistent as exemplified in https://redmine.ixsystems.com/issues/43558#change-516577 where they broke SMB for Mac clients in the name of overzealous DoS protection, since rolled back. I don’t see any good reasons to stay on unpatched minor Python versions other than compatibility problems (unlikely) or, sorry, slight sloppiness or at least lack of process. The latter makes it a valid discussion on how to potentially improve things - no?
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
Running the least vulnerable sub-systems, etc. is a worthy goal but the team needs the resources to make it happen.

The best way forward is likely contributing money towards FreeNAS to allow the team to hire more resources. I recommend
  1. Buying iXsystem computer hardware if you have a need and their gear meets it (the after-sales support I've received has been phenomenal).
  2. Sponsoring FreeNAS directly if you're not in the market to buy something or have different needs. I hope that FreeNAS has fixed the issues I encountered with Paypal when I attempted to enter into a monthly subscription / donation. The one-time donation link worked for me.
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
11.2U4 updated several packages, notably apache and python2. Progress! There are still 13 warnings from pkg audit though.
 

vermaden

Dabbler
Joined
Mar 9, 2019
Messages
16
Just updated to 11.2-U4 ... very disappointed :/

Still 13 vulnerabilities ...

root@freenas[~]# uname -a
FreeBSD freenas.gkpge.pl 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+95cc58ca2a0(HEAD): Mon May 6 19:08:58 EDT 2019 root@mp20.tn.ixsystems.com:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64


root@freenas[~]# freebsd-version -uk
11.2-STABLE
11.2-STABLE


root@freenas[~]# sockstat -l4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root uwsgi-3.6 4006 3 tcp4 127.0.0.1:9042 *:*
root uwsgi-3.6 3188 3 tcp4 127.0.0.1:9042 *:*
nobody mdnsd 3144 4 udp4 *:31417 *:*
nobody mdnsd 3144 6 udp4 *:5353 *:*
www nginx 3132 6 tcp4 *:443 *:*
www nginx 3132 8 tcp4 *:80 *:*
root nginx 3131 6 tcp4 *:443 *:*
root nginx 3131 8 tcp4 *:80 *:*
root ntpd 2823 21 udp4 *:123 *:*
root ntpd 2823 22 udp4 10.49.13.99:123 *:*
root ntpd 2823 25 udp4 127.0.0.1:123 *:*
root sshd 2743 5 tcp4 *:22 *:*
root syslog-ng 2341 19 udp4 *:1031 *:*
nobody mdnsd 2134 3 udp4 *:39020 *:*
nobody mdnsd 2134 5 udp4 *:5353 *:*

root python3.6 236 22 tcp4 *:6000 *:*

root@freenas[~]# pkg audit -F
Fetching vuln.xml.bz2: 100% 785 KiB 804.3kB/s 00:01
python27-2.7.15 is vulnerable:
Python -- NULL pointer dereference vulnerability
CVE: CVE-2019-5010
WWW: https://vuxml.FreeBSD.org/freebsd/d74371d2-4fee-11e9-a5cd-1df8a848de3d.html


curl-7.62.0 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-3823
CVE: CVE-2019-3822
CVE: CVE-2018-16890
WWW: https://vuxml.FreeBSD.org/freebsd/714b033a-2b09-11e9-8bc3-610fd6e6cd05.html


libgcrypt-1.8.2 is vulnerable:
libgcrypt -- side-channel attack vulnerability
CVE: CVE-2018-0495
WWW: https://vuxml.FreeBSD.org/freebsd/9b5162de-6f39-11e8-818e-e8e0b747a45a.html


python36-3.6.5_1 is vulnerable:
Python -- NULL pointer dereference vulnerability
CVE: CVE-2019-5010

WWW: https://vuxml.FreeBSD.org/freebsd/d74371d2-4fee-11e9-a5cd-1df8a848de3d.html

pango-1.42.0 is vulnerable:
pango -- remote DoS vulnerability
CVE: CVE-2018-15120
WWW: https://vuxml.FreeBSD.org/freebsd/5a757a31-f98e-4bd4-8a85-f1c0f3409769.html


py36-requests-2.18.4 is vulnerable:
www/py-requests -- Information disclosure vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html

libnghttp2-1.31.0 is vulnerable:
nghttp2 -- Denial of service due to NULL pointer dereference
CVE: CVE-2018-1000168
WWW: https://vuxml.FreeBSD.org/freebsd/1fccb25e-8451-438c-a2b9-6a021e4d7a31.html


gnupg-2.2.6 is vulnerable:
gnupg -- unsanitized output (CVE-2018-12020)
CVE: CVE-2017-7526
CVE: CVE-2018-12020
WWW: https://vuxml.FreeBSD.org/freebsd/7da0417f-6b24-11e8-84cc-002590acae31.html


py36-cryptography-2.1.4 is vulnerable:
py-cryptography -- tag forgery vulnerability
CVE: CVE-2018-10903

WWW: https://vuxml.FreeBSD.org/freebsd/9e2d0dcf-9926-11e8-a92d-0050562a4d7b.html

perl5-5.26.1 is vulnerable:
perl -- multiple vulnerabilities
CVE: CVE-2018-6913
CVE: CVE-2018-6798
CVE: CVE-2018-6797
WWW: https://vuxml.FreeBSD.org/freebsd/41c96ffd-29a6-4dcc-9a88-65f5038fa6eb.html


libssh2-1.8.0,3 is vulnerable:
libssh2 -- multiple issues
CVE: CVE-2019-3862
CVE: CVE-2019-3861
CVE: CVE-2019-3860
CVE: CVE-2019-3858
WWW: https://vuxml.FreeBSD.org/freebsd/6e58e1e9-2636-413e-9f84-4c0e21143628.html


git-lite-2.17.0 is vulnerable:
Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)
CVE: CVE-2018-11235
CVE: CVE-2018-11233
WWW: https://vuxml.FreeBSD.org/freebsd/c7a135f4-66a4-11e8-9e63-3085a9a47796.html


gnutls-3.5.18 is vulnerable:
GnuTLS -- double free, invalid pointer access
CVE: CVE-2019-3836
CVE: CVE-2019-3829
WWW: https://vuxml.FreeBSD.org/freebsd/fb30db8f-62af-11e9-b0de-001cc0382b2f.html


13 problem(s) in the installed packages found.


With the above vulnerabilities in Python 3.x and its modules and python3 listening on 6000 port (not on localhost) its potential remote security hole ...
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
Would it perhaps make sense to block all ports to the FreeNAS that don't need to be used? That is, compile a list of known-used ports, allow those, disallow all other traffic at the switch level?
 

vermaden

Dabbler
Joined
Mar 9, 2019
Messages
16
Thank You for your effort.

... but, from 'professionalists' like iXsystems (with 'real' paid solutions like TrueNAS) I expect them to consider security as one of the most important aspects when it comes to appliances/systems that are designed to gather large amount of data. They have good seling point (OpenZFS) but what does it change when someone will hack a FreeNAS (or TrueNAS) and destroy/change all that data?

What strikes me most is that with such small change as updating packages to latest secure level, not latest version with latest features should be 'easy' or 'easily fixable'.

Right now - seeing how (insecure) FreeNAS is kept I doubt that their 'paid' solution TrueNAS is built and kept otherwise - I just got the idea that they do nice web interface (yes its really nice) and they do not consider security to be important (FreeNAS does not even have 'Firewall' in their web interface) .... and I am not OpenBSD 'maniac' [1] trying to enforce all possible security mechanisms here - I just expect a 'reasonable' manufacturer like iXsystems to update the packages to secure versions ... maybe I expect too much :)

I posted the security holes of FreeNAS 11.2-U4 just to show (almost complete) lack of progress. I have chosen 'plain' FreeBSD anyway so it (now) does not matter to me if FreeNAS is secure or not. My 'need' was to use FreeNAS as an 'interface' to export and manage about 1 PB (yes 1000 TB) of raw 12 TB disks of data to other systems using iSCSI/NFS/CIFS protocols but after messing a little with /etc/ctl.conf on FreeBSD it seems even simpler then doing it with FreeNAS web interface ...

... its pity that I can not recommend FreeNAS to 'casual' users anymore ... maybe XigmaNAS or ZFSguru are good candidates here ... but I did not had time to evaluate them, so do this by yourself please :)

[1] I do not want to offend OpenBSD approach/users here - its just OpenBSD has highest security standards to which - even secure patched FreeBSD system only can try to aspire to - this OpenBSD people/devs sometimes can be seen by FreeBSD people as 'security maniacs' - which of course is not true, all systems should be secure - but FreeBSD - to have more features/performance sacrifices some of the security. In other words - kudos to OpenBSD people/devs for implementing and keeping the secure attitude.

Regards,
vermaden
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
I'm not as pessimistic as you. First, not every vulnerability is exploitable, so it's possible they have evaluated them and judged them not problematic in practice. Second, they have been fixing the ones I've filed bugs for. Maybe no one bothered to file bugs before me?

Still, it's not exactly great to see a 1 day old product list 13 unpatched vulns using a tool that *it itself ships with*. :) The optics of that just aren't good.
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
... its pity that I can not recommend FreeNAS to 'casual' users any more ... :)
I agree that it is odd for a package to ship with a vulnerability tool that shows "hits" on a recent release. At the same time, I wonder to what extent the team has the time and people required to patch everything and test it for stability. That seems to be the over-arching theme with FreeNAS - maintaining data integrity. But the team needs resources for all that and how many on this forum have given to the cause - either by buying hardware that is iXsystems branded or by giving directly?

Several folk here have commented that if the naughty are roaming the halls of your network that you've already lost. To some extent, I agree with that sentiment, and yet I also wish that systems would not ship with needlessly open ports ever. If that has to be enforced with a firewall within FreeNAS, so be it. At the same time, I recognize how much firewalls can complicate network resources and why FreeNAS hence eschews shipping with one of them.

None of the above however is a good reason to abandon FreeNAS altogether or to not recommend it to others. The important question here is whether FreeNAS is the right tool for the job. The benefits of ZFS are such that this is a great package for any user who values data integrity and who is willing to put in the time and the resources to set up the system as intended. There is a big learning curve, this is definitely not a QNAP, Synology, or ReadyNAS system (and I've used all three of those).
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
But the team needs resources for all that and how many on this forum have given to the cause - either by buying hardware that is iXsystems branded or by giving directly?

Well, my employer bought a $6000 system from iX, so hopefully I get to complain a little. :) All software is hopeless buggy, and I say that as a professional software developer myself. Still, we must strive to improve.
 

proto

Patron
Joined
Sep 28, 2015
Messages
269
its pity that I can not recommend FreeNAS to 'casual' users any more

Umm... I think "casual users" should stay away from any command line, build your own server nas/san solution.

A lot of people is still unaware of security issues, they just pretend plugins working out of the box, put their personal cloud online, etc.
What can you expect from this type of users who do not have a minimum of security knowledge?
It is not just a FreeNAS problem, but an educational one related to end-users (I mean: lack of basic knowledge of any *nix system, networking): the vulnerabilities and the complex exploits are the last of the problems, when the real one is maybe not being able to understand permissions on folders. But in these cases not even a firewall can protect you, not even an alternative system.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I will not speak to areas outside of my sphere of immediate responsibility, but as I replied to Sean when he opened a bug ticket, Netatalk in FreeNAS is not vulnerable despite what `pkg audit` says. We had advanced notice of the upcoming CVE / security release and put out an out-of-band FreeNAS release to address the vulnerability. Backporting security fixes tends to throw off tools like pkg audit.
 
Top