SoftNAS users should upgrade their virtual appliance immediately following the discovery of a security issue in the product's session management. Texas pen-testing outfit Digital Defense discovered the vulnerability during an engagement and coordinated disclosure with SoftNAS. Version 4.2.2 contains the relevant security patch.
"SoftNAS Cloud Enterprise 4.2.0 is vulnerable to an authenticated bypass that could be leveraged to gain access to the webadmin interface without valid user credentials," the Digital Defense advisory says. "The vulnerability potentially allows an attacker to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and data."
Typically, a SoftNAS appliance is not deployed internet-facing, mitigating the risk for users. However, an intruder already in an enterprise network would find the SoftNAS appliance a softer target than many end points and rich with backup data to exfiltrate.
"A lot of times when we're in security assessments, we tend to take a very hard look at backup and network-attached storage systems," Mike Cotton, vice president of research and development at Digital Defense, tells CSO. "They house a lot of critical information from hundreds of systems potentially."
"If you have one of these appliances, I would move it to the top of the [patching] list," he adds.
Proper SoftNAS setup mitigates risk
For their part, SoftNAS emphasized that customers should not be exposing their SoftNAS appliance to the wilds of the open internet. "If [customers] set this up correctly, there would be no threat from the outside of the corporate environment or data center," Jeff Russo, senior vice president of products, says.
The vulnerability was introduced in SoftNAS version 4.2.0, Russo explains, when the company integrated nginx support, ironically to improve the security of the product. "The footprint of nginx is smaller, the performance is better," Russo says, "there are fewer security issues with nginx."
Digital Defense was surprised to find such a significant vulnerability in SoftNAS's product. "We were expecting more robust session management, which is typically what we see on these devices," Cotton tells CSO. "We've worked with other high-profile vendors on flaws like this."
The SoftNAS appliance currently only offers password-based authentication, but Russo says plans are in the works to introduce two-factor authentication soon.
SoftNAS customers rely on their software appliances for primary, secondary, and archive storage, according to Russo. The killer feature for SoftNAS customers has been the ability to migrate on-premises applications to the cloud without having to rewrite those applications.
The vulnerability has not yet been assigned a CVE.