Security Experts:

Authentication Bypass Vulnerability Found in SoftNAS Cloud

A security firm's Vulnerability Research Team (VRT) found and reported a vulnerability in SoftNAS Cloud data storage. SoftNAS fixed the vulnerability last week, and details of the vulnerability are now being made public.

The Digital Defense VRT found the vulnerability in SoftNAS Cloud Enterprise 4.2.0. Earlier versions are not affected, and it has been fixed in version 4.2.2.

SoftNAS Cloud is a Linux-based virtual appliance that can be deployed on hypervisor-based systems, including Amazon AWS, Microsoft Azure and VMware vSphere. It runs as a virtual machine (VM), providing a broad range of software-defined capabilities.

The Digital Defense VRT team found that if customers have openly exposed SoftNAS StorageCenter ports directly to the internet, the platform is vulnerable to an authenticated bypass. The problem lies in the load balancer configuration file which checks the status of a user cookie. If this value is not set, the user is redirected to the login page.

However, an arbitrary value can be provided for this cookie allowing access to the web interface without valid credentials. So, if there are ports exposed to the internet, an attacker can use this method to gain unauthenticated access to the Webadmin interface. From here, the attacker would be able to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and the data. SoftNAS fixed the issue in version 4.2.2 released last week.

The whole process is a good example of 'responsible disclosure' working well. The vulnerability was discovered by researchers and reported to the vendor. The vendor worked with the researchers, rapidly fixed the vulnerability and issued a new version of the software. The researchers waited one week to give users time to update their systems before publicly disclosing the vulnerability. "The SoftNAS team was extremely collaborative and diligent in their rapid response to the identification of the issue, resulting in a quick resolution," commented Tom DeSot, EVP and CIO at Digital Defense.

The vulnerability was discovered on January 26, 2019 in SoftNAS version 4.2. On February 14, SoftNAS released version 4.2.1, claiming in the release notes, "NGINX security issue fixed -- An authentication bypass vulnerability has been fixed. This issue only affects SoftNAS Cloud v 4.2, and is only externally exploitable for customers who have not followed best practices in restricting StorageCenter port access to only their private networks and/or IP-restricted client as documented in Instance Planning: Security. (15764)"

Clearly, this wasn't wholly true, since version 4.2.2 released March 12 announced, "A vulnerability existed with 4.2.x releases in which systems deployed with ports exposed to the internet against SoftNAS best practices could be compromised, allowing access to the system without valid user credentials, has been addressed." So, the vulnerability at least partially continued on version 4.2.1.

SoftNAS SVP of Products, Jeff Russo, explained to SecurityWeek, "A quick partial fix was included in SoftNAS Cloud 4.2.1 which significantly reduced the vulnerability footprint, and the complete fix was included in version 4.2.2." Digital Defense appears to have signed off on this full second fix by going public on the vulnerability. 

SoftNAS users should upgrade to the latest version as soon as possible. If this isn't possible, they should at least comply with SoftNAS best practices by not leaving any ports open to the internet.

Related: Code Execution Flaws Found in ManageEngine Products 

Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products 

Related: Serious Flaws Affect Several ManageEngine Products

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.