TrueNAS device vulnerabilities exposed during hacking competition

Representational image of a hacker
(Image credit: Shutterstock)
  • TrueNAS recommends hardening systems to mitigate risks
  • Pwn2Own showcases diverse attack vectors on NAS systems
  • Cybersecurity teams earn over $1 million by finding in exploits

At the recent Pwn2Own Ireland 2024 event, security researchers identified vulnerabilities in various high-use devices, including network-attached storage NAS devices, cameras, and other connected products.

TrueNAS was one of the companies whose products were successfully targeted during the event, with vulnerabilities found in its products with default, non-hardened configurations.

Following the competition, TrueNAS have started implementing updates to secure their products against these newly discovered vulnerabilities.

Security gaps across multiple devices

During the competition, multiple teams successfully exploited TrueNAS Mini X devices, demonstrating the potential for attackers to leverage interconnected vulnerabilities between different network devices. Notably, the Viettel Cyber Security team earned $50,000 and 10 Master of Pwn points by chaining SQL injection and authentication bypass vulnerabilities from a QNAP router to the TrueNAS device.

Furthermore, the Computest Sector 7 team also executed a successful attack by exploiting both a QNAP router and a TrueNAS Mini X using four vulnerabilities. The types of vulnerabilities included command injection, SQL injection, authentication bypass, improper certificate validation, and hardcoded cryptographic keys.

TrueNAS responded to the results by releasing an advisory for its users, acknowledging the vulnerabilities and emphasizing the importance of following security recommendations to protect data storage systems against potential exploits.

By adhering to these guidelines, users can increase their defences, making it harder for attackers to leverage known vulnerabilities.

TrueNAS informed customers that the vulnerabilities affected default, non-hardened installations, meaning that users who follow recommended security practices are already at a reduced risk.

TrueNAS has advised all users to review its security guidance and implement best practices, which can significantly minimize exposure to potential threats until the patches are fully rolled out.

Via SecurityWeek

You might also like

Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com