- TrueNAS recommends hardening systems to mitigate risks
- Pwn2Own shows various attack vectors on NAS systems
- Cybersecurity teams earn more than $1 million by finding exploits
At the recent Pwn2Own Ireland 2024 event, security researchers identified vulnerabilities in several high-use devices, including network-attached storage NAS devices, cameras, and other connected products.
TrueNAS was one of the companies whose products were successfully attacked during the event, and vulnerabilities were found in its products with unhardened default configurations.
Following the competition, TrueNAS began rolling out updates to protect its products against these newly discovered vulnerabilities.
Security breaches on multiple devices
During the competition, several teams successfully exploited TrueNAS Mini X devices, demonstrating the potential for attackers to exploit interconnected vulnerabilities between different network devices. Notably, the Viettel Cyber Security team won $50,000 and 10 Master of Pwn points by chaining SQL injection and authentication bypass vulnerabilities from a QNAP router to the TrueNAS device.
Additionally, the Computest Sector 7 team also executed a successful attack by exploiting both a QNAP router and a TrueNAS Mini X using four vulnerabilities. The types of vulnerabilities included command injection, SQL injection, authentication bypass, improper certificate validation, and hard-coded cryptographic keys.
TrueNAS responded to the findings by publishing an advisory to its users, acknowledging the vulnerabilities and emphasizing the importance of following security recommendations to protect data storage systems against potential vulnerabilities.
By following these guidelines, users can increase their defenses, making it more difficult for attackers to exploit known vulnerabilities.
TrueNAS informed customers that the vulnerabilities affected unhardened default installations, meaning users who follow recommended security practices are already at reduced risk.
TrueNAS has recommended all users review its security guide and implement best practices, which can significantly minimize exposure to potential threats until patches are fully implemented.
Via Safety Week
