FreeBSD/FreeNAS patching

[James Moses]

Colleagues,

Is it reasonable, normal and common practice to do out-of-band software patch downloads and installs against a version of FreeNAS?

I recently upgraded my stable FreeNAS 9.3 to 11.1-U1 in order to get new OS features like TLS1.2, and deprecate older features. Upgrade was flawless. However, my environment requires me to scan and patch weekly. I noticed that there are several vulnerabilities against FreeNAS11.1-U1 that come up with a vulnerability scan. I totally understand that the scanner uses installed-software-version as the method to determine vulnerability. Also, I totally understand I still need to determine applicability of detected vulnerability since FreeBSD patch concept is different-than-mainstream (patch the vul, but don't change the version).

Nevertheless, if there were a major zero-day that came out tomorrow, would it be normal to patch FreeNAS "appliance" or should I wait until there is a newer built?

Thanks. Sorry if this has been already answered. I tried to do my forum reading homework before posting.

r/
-Jim

 

[Adrian]

I think you would be more likely to receive patched software faster if you switched to the -nightlies train, but you might encounter bugs and regressions.

If you are really brave, you could compile FreeNAS from scratch which would potentially allow you to apply your own patches.
See https://github.com/freenas/build/blob/master/README.md

Also, I would suspect that any environment requiring weekly patching also bans non release software.

 

[wblock]

Is it reasonable, normal and common practice to do out-of-band software patch downloads and installs against a version of FreeNAS?

No. It is an appliance. The relatively unusual part about this one is that it is possible to set up your own build environment and build it from scratch along with any upstream patches or homegrown ones. If you really must patch that frequently, that is what you will have to do.

 

[James Moses]

Thanks for the feedback. As I suspected. My belief is that nobody really should be screwing around with the underlying OS of a NAS anyway. I already think of the NAS as an appliance. My environment is a critical RDT&E production environment that precludes the use of nightlies and frequent builds-from-source. Unfortunately, business security policy requires frequent vulnerability scanning and remediation without exception. Really, just to put a check in the compliance box. (Yeah; It's stupid...and ironically the NAS is on an isolated network with no external connection and has performed a mission-critical function flawlessly for years.)

 

[tvsjr]

Allow me to be direct - your cybersecurity team is composed of idiots (I can say this, I'm a cyber guy). "Patch all the things without exception" is stupid, impractical, and likely to cause significant business impact. There is such a thing as compensating controls. A web server sitting in the DMZ, with a remote root vulnerability? Absolutely, patch it immediately or turn it off. A NAS, which should live in an internal/trusted zone, where you could even restrict the management to a management network? Of course not.

 

[Nick2253]

your cybersecurity team is composed of idiots

I'll second that.

A simple example is Meltdown/Spectre. Depending on your hardware and your needed performance, the patch could completely cripple your NAS. And if the NAS is truly isolated the way it should be, patching your NAS against that vulnerability would serve no purpose whatsoever.

 

[James Moses]

@tvsjr, @Nick2253

>cybersecurity team is composed of idiots

Yep. Already know that.

>And if the NAS is truly isolated the way it should be, patching your NAS against that vulnerability would serve no purpose whatsoever.

..as well as disabling CBC cipher suites in an isolated network that nobody is ever going to brute-force their nation's computing resources to crack.

 

[tvsjr]

That kind of crap frustrates me. Makes all of us look bad.