Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
At the recent Pwn2Own Ireland 2024 event, security researchers identified vulnerabilities in several high-use devices, including network storage. NAS devicescameras, and other related products.
TrueNAS was one of the companies whose products were successfully targeted during the event, with vulnerabilities found in their products with default, unhardened configurations.
Following the competition, TrueNAS began deploying updates to secure its products against these newly discovered vulnerabilities.
During the competition, several teams successfully exploited TrueNAS Mini X devices, demonstrating the potential for attackers to exploit interconnected vulnerabilities between different network devices. In particular, the Viettel Cyber Security team won $50,000 and 10 Master of Pwn points by performing SQL injection and authentication bypasses vulnerabilities from a QNAP router to the TrueNAS device.
In addition, the Computest Sector 7 team also performed a successful attack exploiting a QNAP router and a TrueNAS Mini X using four vulnerabilities. Types of vulnerabilities include command injection, SQL injection, bypass authentication, improper certificate validation, and hard-coded cryptographic keys.
TrueNAS responded to the findings by releasing a advice for its users, recognizing vulnerabilities and emphasizing the importance of following security recommendations to protect data storage systems against potential exploits.
By adhering to these guidelines, users can increase their defenses, making it more difficult for attackers to exploit known vulnerabilities.
TrueNAS informed customers that the vulnerabilities affected default, non-hardened installations, meaning users who follow recommended security practices are already at reduced risk.
TrueNAS advised all users to review their security guidance and implement best practices, which can significantly minimize exposure to potential threats until patches are fully implemented.
Via Safety Week