SoftNAS Cloud Vulnerability Found By Digital Defense, Plugged Before Customers Impacted
Security technology and services provider Digital Defense Wednesday said that it had discovered a vulnerability on the SoftNAS Cloud data storage platform and provided the information that led to a simple fix of that platform.
Digital Defense, San Antonio, reported in a blog post that SoftNAS Cloud Enterprise 4.2.0 and 4.2.1 was vulnerable to what it called an authenticated bypass that unauthorized users could have used to gain access to the webadmin interface.
Such access could have potentially let an attacker create new users or execute commands that required administrative privileges, thereby impacting the platform and the data, Digital Defense said.
SoftNAS Cloud is cloud-native software for controlling and managing data, and is based on the OpenZFS file system, Apache NiFi and other technologies to form a private, single-tenant cloud.
Finding and fixing bugs is part of a software vendor's responsibilities, and SoftNAS immediately fixed the issue when alerted by Digital Defense before any clients or their data was impacted, said Jeff Russo, senior vice president of products for Houston-based SoftNAS.
"The first thing a software company does when it finds a problem, it has to solve it," Russo told CRN. "We published information about our issue, and told customers about it."
The vulnerability started with the company's 4.2 release, and was open for only a couple months, Russo said. Version 4.2.2 fixed the vulnerability, he said.
The SoftNAS software runs in a virtual machine in Amazon Web Services or Microsoft Azure clouds to manage data, and as such should only interact outside the virtual machine with the data, Russo said. When configured properly, and with a virtual firewall in place, the virtual machine is not vulnerable to attack, he said.
However, during the couple of months when the software was vulnerable, if the virtual machine was configured incorrectly or not protected by a firewall it was vulnerable to attack.
"We publish best practices," he said. "There's no reason in a protected environment for a virtual machine to be accessible from other processes. But in some cases, customers may set up a virtual machine for testing, and if it was not properly configured and firewalled, there was a potential issue."
SoftNAS did not get any reports from customers of issues with its software, Russo said. "This is a case where Digital Defense found an issue, and we fixed it," he said. "We work with Digital Defense and other security vendors, some of which are our customers as well, and are always looking at our security."