A vulnerability in SoftNAS Cloud data storage platform could allows attackers to bypass authentication and gain access to a company’s web-admin interface without valid credentials. Security vendor Digital Defense disclosed the flaw in a blog post today, and said SoftNAS worked with its Vulnerability Research Team to issue a fix.
SoftNAS isn’t aware of any customer attacks resulting from the vulnerability. It’s “impossible” to know how many customers were exposed, said Jeff Russo, SoftNAS senior vice president of products.
“However, the potential vulnerability could only have potentially affected a small portion of the customer base as it only existed in versions 4.2.0 and 4.2.1, which was only available for two months,” he added. “And again, only customers who did not set up their environment according to SoftNAS best practices were exposed. We stress that customers always maintain the most recent software version and to follow recommended best practices when configuring their environment.”
The vulnerability is not present on SoftNAS Cloud versions prior to 4.2 and is fixed in versions 4.2.2 and later. If customers didn’t follow deployment best practices then their StorageCenter ports were left exposed to the internet. This would allow an attacker to create new users or execute arbitrary commands with administrative privileges, potentially compromising both the data and the platform.
When Digital Defense’s researchers discover zero-day vulnerabilities like this one, they contact the affected vendor and then help, if possible, with remediation.
The takeaway from the disclosure is that companies should perform penetration tests and vulnerability scans on their network on a regular basis, said Tom DeSot, executive vice president and CIO at Digital Defense.
“Failure to do so leaves them, and potentially their customer base, at risk of exposure,” he said. “They also need to understand that they should have a test bed of the products that they buy so that even more extensive testing can be done than what would be done on a production system [where] there might be a downtime event, etc.”