Latest interface: 0.3.1
Latest system: 010
Jason
Developer

806 posts

Posted on 23 October 2011 @ 12:48edited 13:30 14s
SECURITY ADVISORY (number 1)

Date: October 23rd, 2011 @ 08:48 UTC
Updated: -
Reported by: lead developer
Severity: medium
Fix available: partial


1. Introduction

ZFSguru 0.1.9 has not been released yet, but several beta and release candidate releases are available. These introduced a new authentication mechanism using both password authentication and IP access control, to prevent unauthorized access to the ZFSguru web-interface in hostile environments.

Both mechanisms are optional, although by default only the IP access control is enabled, limiting access to users connecting from LAN private IP blocks (such as 10.x.x.x and 192.168.x.x).


2. Nature of vulnerability

The optional password authentication mechanism can be bypassed if the attacker was not prevented access by the IP-based access control mechanism. The attacker could retrieve the user-supplied password and gain unauthorized access to the ZFSguru web-interface. For this to succeed, the attacker must be capable of making HTTP connections with the ZFSguru webserver, on port 80.


3. Scope of vulnerability

Only those users which have enabled password authentication are affected. IP-based access control is unaffected. Also, many users are using their ZFSguru server in a protected environment, where malicious internet users are unable to make contact with the ZFSguru server, including the webserver. So only a limited number of users are affected.


4. Released fixes

An update to the ZFSguru web-interface, 0.1.9-RC2 has been released, fixing the issue - but only for users employing the Apache webserver. The default webserver is Lighttpd, which is not addressed by this update. To fix the vulnerability for Lighttpd webserver, a new system image release is required, but is not yet available.


5. Recommendation

For users who do not have password authentication enabled: you do not have to do anything.
For users who have password authentication enabled and are using Apache: apply the 0.1.9-RC2 web-interface update via the System->Update page.
For users who have password authentication enabled and are using Lighttpd: wait for a new system image release to permanently fix this vulnerability and fallback to IP-based access control for the moment; restricting access only to trusted IP connections.

In addition, the author of ZFSguru highly recommends users not to use ZFSguru or any NAS appliance containing sensitive or important data in hostile environments, particularly where connections from the internet are able to reach the ZFSguru server. The same danger may apply when using wireless internet on your local network, since an attacker gaining access to your LAN via wireless connection could also gain access to your ZFSguru server, unless you are using strict IP-based access control settings (third option).

Security is paramount; protect your files, protect your privacy!
Last Page

Valid XHTML 1.1