- TrueNAS recommends hardening systems to reduce risk
- Pwn2Own demonstrates multiple attack vectors on NAS systems
- Cybersecurity team made over $1M in revenue from discovering vulnerabilities
At the recent Pwn2Own Ireland 2024 event, security researchers discovered vulnerabilities in a variety of high-usage devices, including network-attached storage network storage devicecameras and other connected products.
TrueNAS was one of the companies whose products were successfully compromised during the incident, with vulnerabilities discovered in its pre-configured, non-hardened products.
Following the competition, TrueNAS has begun implementing updates to ensure its products are protected from these newly discovered vulnerabilities.
Security vulnerabilities across multiple devices
During the competition, multiple teams successfully exploited TrueNAS Mini X devices, demonstrating the potential for attackers to exploit vulnerabilities in the interconnect between different network devices. It is worth noting that the Viettel cyber security team connected SQL injection and verify Bypass vulnerability from QNAP router to TrueNAS device.
In addition, the Computest Sector 7 team also successfully carried out attacks on QNAP routers and TrueNAS Mini X using four vulnerabilities. Vulnerability types include command injection, SQL injection, authentication bypass, incorrect credential validation, and hardcoded keys.
TrueNAS responded to the results, releasing consult It is important for users to acknowledge these vulnerabilities and emphasize the importance of following security recommendations to protect data storage systems from potential attacks.
By adhering to these guidelines, users can strengthen their defenses and make it more difficult for attackers to exploit known vulnerabilities.
TrueNAS is informing customers that these vulnerabilities affect pre-installed, unhardened installations, meaning users who follow recommended security practices are already at low risk.
TrueNAS recommends that all users review its security guidance and implement best practices, which can minimize exposure to potential threats until the patch is generally rolled out.
through Security Weekly