Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Authentication Bypass Vulnerability Found in SoftNAS Cloud

A security firm’s Vulnerability Research Team (VRT) found and reported a vulnerability in SoftNAS Cloud data storage. SoftNAS fixed the vulnerability last week, and details of the vulnerability are now being made public.

A security firm’s Vulnerability Research Team (VRT) found and reported a vulnerability in SoftNAS Cloud data storage. SoftNAS fixed the vulnerability last week, and details of the vulnerability are now being made public.

The Digital Defense VRT found the vulnerability in SoftNAS Cloud Enterprise 4.2.0. Earlier versions are not affected, and it has been fixed in version 4.2.2.

SoftNAS Cloud is a Linux-based virtual appliance that can be deployed on hypervisor-based systems, including Amazon AWS, Microsoft Azure and VMware vSphere. It runs as a virtual machine (VM), providing a broad range of software-defined capabilities.

The Digital Defense VRT team found that if customers have openly exposed SoftNAS StorageCenter ports directly to the internet, the platform is vulnerable to an authenticated bypass. The problem lies in the load balancer configuration file which checks the status of a user cookie. If this value is not set, the user is redirected to the login page.

However, an arbitrary value can be provided for this cookie allowing access to the web interface without valid credentials. So, if there are ports exposed to the internet, an attacker can use this method to gain unauthenticated access to the Webadmin interface. From here, the attacker would be able to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and the data. SoftNAS fixed the issue in version 4.2.2 released last week.

The whole process is a good example of ‘responsible disclosure’ working well. The vulnerability was discovered by researchers and reported to the vendor. The vendor worked with the researchers, rapidly fixed the vulnerability and issued a new version of the software. The researchers waited one week to give users time to update their systems before publicly disclosing the vulnerability. “The SoftNAS team was extremely collaborative and diligent in their rapid response to the identification of the issue, resulting in a quick resolution,” commented Tom DeSot, EVP and CIO at Digital Defense.

The vulnerability was discovered on January 26, 2019 in SoftNAS version 4.2. On February 14, SoftNAS released version 4.2.1, claiming in the release notes, “NGINX security issue fixed — An authentication bypass vulnerability has been fixed. This issue only affects SoftNAS Cloud v 4.2, and is only externally exploitable for customers who have not followed best practices in restricting StorageCenter port access to only their private networks and/or IP-restricted client as documented in Instance Planning: Security. (15764)”

Clearly, this wasn’t wholly true, since version 4.2.2 released March 12 announced, “A vulnerability existed with 4.2.x releases in which systems deployed with ports exposed to the internet against SoftNAS best practices could be compromised, allowing access to the system without valid user credentials, has been addressed.” So, the vulnerability at least partially continued on version 4.2.1.

Advertisement. Scroll to continue reading.

SoftNAS SVP of Products, Jeff Russo, explained to SecurityWeek, “A quick partial fix was included in SoftNAS Cloud 4.2.1 which significantly reduced the vulnerability footprint, and the complete fix was included in version 4.2.2.” Digital Defense appears to have signed off on this full second fix by going public on the vulnerability. 

SoftNAS users should upgrade to the latest version as soon as possible. If this isn’t possible, they should at least comply with SoftNAS best practices by not leaving any ports open to the internet.

Related: Code Execution Flaws Found in ManageEngine Products 

Related: Serious Flaws Affect Dell EMC, VMware Data Protection Products 

Related: Serious Flaws Affect Several ManageEngine Products

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...