Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in FreeNAS

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in FreeNAS

August 5, 2009
>> JAPANESE

The Information-technology Promotion Agency (IPA, Chairman Koji Nishigaki) announced a security alert on August 5, 2009 concerning security vulnerability in “FreeNAS”.
If exploited, there is a possibility that the attacker with malicious intent may obtain control of the computers installed with “FreeNAS” and causes malicious events such as shut down of the computer or reformatting of the hard disk drive.
To fix this vulnerability, update to the fixed version supplied by the vendor.

1.Overview

“FreeNAS” is an open-source operating system (OS), which offers a file-sharing function to the computer it is installed on.

The security vulnerability called Cross-Site Request Forgery(*1) exists in “FreeNAS”, which allows an attacker to execute operations unintended by the user.

If this vulnerability is exploited, there is a possibility that computers installed with “FreeNAS” may experience the execution of fraudulent operations conducted by the attacker with malicious intent.

For detailed information, refer to the URL below:
http://www.freenas.org/index.php?option=com_frontpage&Itemid=22

For the latest information, refer to the URL below:
http://jvndb.jvn.jp/jvndb/JVNDB-2009-000053

The IPA first received a report concerning this vulnerability through the creditee below on April 21, 2009, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on August 5, 2009.
Credit: Hiroyuki Shinshiba, Little eArth Corporation Co. Ltd. (LAC)

2.Impact

When the user of “FreeNAS” is lured to a malicious Web page embedded with fraudulent commands while the user is logged into “FreeNAS”, there is a possibility that malicious operations such as shut down of the server or the reformatting of the hard disk drive may be experienced.

As a result, there is a possibility the server on which “FreeNAS” is setup may become controlled by the attacker with malicious intent.

Security Alert for Vulnerability in FreeNAS

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
□ Medium
(4.0~6.9)
■ High
(7.0~10.0)
CVSS base score     7.1

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity ■ High □ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact ■ None □ Partial □ Complete
I:Integrity Impact □ None □ Partial ■ Complete
A:Availability Impact □ None □ Partial ■ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Cross-Site Request Forgery (CSRF) (CWE-352)”.

Footnote

(*1)This is a vulnerability that the user may experience the execution of unexpected operations, due to a trap set up by an attacker with malicious intent.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: