Vulnerabilities of TrueNAS devices exposed in hacking competition
- TrueNAS recommends strengthening systems to mitigate risks
- Pwn2Own shows various attack vectors on NAS systems
- Cybersecurity teams make more than $1 million finding exploits
At the recent Pwn2Own Ireland 2024 event, security researchers identified vulnerabilities in several commonly used devices, including network-attached NAS storage devices, cameras and other connected products.
TrueNAS was one of the companies whose products were successfully targeted during the event, with vulnerabilities found in its products with standard, unhardened configurations.
Following the competition, TrueNAS began deploying updates to secure their products against these newly discovered vulnerabilities.
Vulnerabilities across multiple devices
During the competition, multiple teams successfully exploited TrueNAS Mini X devices, demonstrating the potential for attackers to exploit interconnected vulnerabilities between different network devices. Notably, the Viettel Cyber Security team earned $50,000 and 10 Master of Pwn points by linking SQL injection and authentication to bypassing vulnerabilities from a QNAP router to the TrueNAS device.
Additionally, the Computest Sector 7 team also conducted a successful attack by exploiting both a QNAP router and a TrueNAS Mini X using four vulnerabilities. The types of vulnerabilities include command injection, SQL injection, authentication bypass, improper certificate validation, and hardcoded cryptographic keys.
TrueNAS responded to the results with a advisory for its users, recognizing the vulnerabilities and emphasizing the importance of following security recommendations to protect data storage systems from possible exploits.
By adhering to these guidelines, users can strengthen their defenses, making it more difficult for attackers to exploit known vulnerabilities.
TrueNAS informed customers that the vulnerabilities affected standard, unhardened installations, meaning users who follow recommended security practices are already at reduced risk.
TrueNAS has advised all users to review security guidelines and implement best practices, which can significantly minimize exposure to potential threats until the patches are fully rolled out.
Via Security Week