Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Authentication Bypass Vulnerability Found in SoftNAS Cloud

A security firm’s Vulnerability Research Team (VRT) found and reported a vulnerability in SoftNAS Cloud data storage. SoftNAS fixed the vulnerability last week, and details of the vulnerability are now being made public.

A security firm’s Vulnerability Research Team (VRT) found and reported a vulnerability in SoftNAS Cloud data storage. SoftNAS fixed the vulnerability last week, and details of the vulnerability are now being made public.

The Digital Defense VRT found the vulnerability in SoftNAS Cloud Enterprise 4.2.0. Earlier versions are not affected, and it has been fixed in version 4.2.2.

SoftNAS Cloud is a Linux-based virtual appliance that can be deployed on hypervisor-based systems, including Amazon AWS, Microsoft Azure and VMware vSphere. It runs as a virtual machine (VM), providing a broad range of software-defined capabilities.

The Digital Defense VRT team found that if customers have openly exposed SoftNAS StorageCenter ports directly to the internet, the platform is vulnerable to an authenticated bypass. The problem lies in the load balancer configuration file which checks the status of a user cookie. If this value is not set, the user is redirected to the login page.

However, an arbitrary value can be provided for this cookie allowing access to the web interface without valid credentials. So, if there are ports exposed to the internet, an attacker can use this method to gain unauthenticated access to the Webadmin interface. From here, the attacker would be able to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and the data. SoftNAS fixed the issue in version 4.2.2 released last week.

The whole process is a good example of ‘responsible disclosure’ working well. The vulnerability was discovered by researchers and reported to the vendor. The vendor worked with the researchers, rapidly fixed the vulnerability and issued a new version of the software. The researchers waited one week to give users time to update their systems before publicly disclosing the vulnerability. “The SoftNAS team was extremely collaborative and diligent in their rapid response to the identification of the issue, resulting in a quick resolution,” commented Tom DeSot, EVP and CIO at Digital Defense.

The vulnerability was discovered on January 26, 2019 in SoftNAS version 4.2. On February 14, SoftNAS released version 4.2.1, claiming in the release notes, “NGINX security issue fixed — An authentication bypass vulnerability has been fixed. This issue only affects SoftNAS Cloud v 4.2, and is only externally exploitable for customers who have not followed best practices in restricting StorageCenter port access to only their private networks and/or IP-restricted client as documented in Instance Planning: Security. (15764)”

Clearly, this wasn’t wholly true, since version 4.2.2 released March 12 announced, “A vulnerability existed with 4.2.x releases in which systems deployed with ports exposed to the internet against SoftNAS best practices could be compromised, allowing access to the system without valid user credentials, has been addressed.” So, the vulnerability at least partially continued on version 4.2.1.

Advertisement. Scroll to continue reading.

SoftNAS SVP of Products, Jeff Russo, explained to SecurityWeek, “A quick partial fix was included in SoftNAS Cloud 4.2.1 which significantly reduced the vulnerability footprint, and the complete fix was included in version 4.2.2.” Digital Defense appears to have signed off on this full second fix by going public on the vulnerability. 

SoftNAS users should upgrade to the latest version as soon as possible. If this isn’t possible, they should at least comply with SoftNAS best practices by not leaving any ports open to the internet.

Related: Code Execution Flaws Found in ManageEngine Products 

Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products 

Related: Serious Flaws Affect Several ManageEngine Products

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.