- Joined
- Nov 25, 2013
- Messages
- 7,776
Or take other measures to not allow a rogue DHCP server on their corporate infrastructure ...
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
SOLVED NAME:WRECK - are we at risk?
- Thread starter nickt
- Start date
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
And you say that, ... why?
Basically you just said the same thing I said, just on a slightly tighter scope. I just understand that all bets are already off if they have access to your network.
Sure if someone gains access to your LAN with malicious intentions you're in for a lot of hurt. You do what you can to firstly avoid that happening and secondly try to contain what damage can occur when it inevitably does. That doesn't imo mean you shrug your shoulders and not bother informing customers of a new way that they might be hurt by such access. Which given this vulnerability was raised on forums and not via any official IX posting, I feel they've done.
Just to be clear again, I was not trying to put words in your mouth, I honestly thought you were suggesting there was a way to use ARP against FreeNAS for code execution that I was not aware of. I came to that conclusion (incorrectly it appears) as I assumed that was why you were bringing up ARP in a discussion about a vulnerability with potential code execution.
That said, perhaps I've done a poor job of explaining my position and we're thus talking past each other. Either way it's not really worth either of our time to keep on with the discussion as I expect if we do, it'll end up far away from the original topic.
I do however think ornias was correct that given DHCP is a default (or supported) config, it would be prudent for IX to have made an announcement covering this vulnerability and advised customers to upgrade to 12 or disable it. If there are other known remote exploits then I'd hope they've made similar announcements in the past or start to do so in the future.
Just to be clear again, I was not trying to put words in your mouth, I honestly thought you were suggesting there was a way to use ARP against FreeNAS for code execution that I was not aware of. I came to that conclusion (incorrectly it appears) as I assumed that was why you were bringing up ARP in a discussion about a vulnerability with potential code execution.
That said, perhaps I've done a poor job of explaining my position and we're thus talking past each other. Either way it's not really worth either of our time to keep on with the discussion as I expect if we do, it'll end up far away from the original topic.
I do however think ornias was correct that given DHCP is a default (or supported) config, it would be prudent for IX to have made an announcement covering this vulnerability and advised customers to upgrade to 12 or disable it. If there are other known remote exploits then I'd hope they've made similar announcements in the past or start to do so in the future.
- Joined
- Nov 25, 2013
- Messages
- 7,776
Folks ... please ...
I agree with @jgreco that this vulnerability is of very limited practical relevance in the context of Free/TrueNAS.
Yet here we have a CVE for FreeBSD labeled with "Severity: High" and a press coverage that cannot properly differentiate "TCP/IP stacks" and application running on top of them. Just one example from otherwise quite renowned German Heise Verlag:
www.heise.de
So they are lumping up a severe but rather obscure problem in the FreeBSD DHCP client with bugs in embedded operating systems in one article and claim "100 million exploitable devices".
IMHO it would do a respectable vendor like iXsystems good to issue an official statement explaining the particular circumstances that might make this exploit possible, their take on it, and the recommendation not to configure a server via DHCP, anyway. Wholeheartedly agree with @jgreco on the technical aspects, but I really think a statement is called for given the public hyperbole this issue currently receives.
P.S. and I hate seeing two respected and valued forum regulars like @jgreco and @ornias getting at each others throats.
I agree with @jgreco that this vulnerability is of very limited practical relevance in the context of Free/TrueNAS.
Yet here we have a CVE for FreeBSD labeled with "Severity: High" and a press coverage that cannot properly differentiate "TCP/IP stacks" and application running on top of them. Just one example from otherwise quite renowned German Heise Verlag:
Name:Wreck – Forscher entdecken weitere Schwachstellen in TCP/IP-Stacks
100 Millionen Geräte mit Nucleus Net (Siemens) sowie älteren FreeBSD-, NetX- und IPNet-Versionen leiden an einer Gruppe Sicherheitslücken. IoT bleibt Baustelle.
So they are lumping up a severe but rather obscure problem in the FreeBSD DHCP client with bugs in embedded operating systems in one article and claim "100 million exploitable devices".
IMHO it would do a respectable vendor like iXsystems good to issue an official statement explaining the particular circumstances that might make this exploit possible, their take on it, and the recommendation not to configure a server via DHCP, anyway. Wholeheartedly agree with @jgreco on the technical aspects, but I really think a statement is called for given the public hyperbole this issue currently receives.
P.S. and I hate seeing two respected and valued forum regulars like @jgreco and @ornias getting at each others throats.
Thanks for all the comments..
I tend to agree its low risk (DHCP deployment on 11.3), but it needs to be documented professionally.
I'd suggest we do need a security vulnerability documented on
Two potential resolutions:
1) Disable DHCP on 11.3 - use static IP addressing
2) Update to 12.0
Message me or @Kris Moore if anyone thinks more is needed.
I tend to agree its low risk (DHCP deployment on 11.3), but it needs to be documented professionally.
I'd suggest we do need a security vulnerability documented on
Two potential resolutions:
1) Disable DHCP on 11.3 - use static IP addressing
2) Update to 12.0
Message me or @Kris Moore if anyone thinks more is needed.
nickt
Contributor
- Joined
- Feb 27, 2015
- Messages
- 131
Thanks @morganL - as the OP - that's enough for me. Never mind the shouting, for better or worse, security disclosures (like this one) sometimes get high media profile, and lesser mortals like me are left wondering whether our TrueNAS systems are at risk. I simply don't have the skills or the time to decode the detail, so a consistent approach where iXsystems clarify what it means for the user base would be super helpful.
Oh, and for the lazy like me, an RSS feed to the security bulletins would be appreciated too.
Oh, and for the lazy like me, an RSS feed to the security bulletins would be appreciated too.
Security Alert has been published.
security.truenas.com
NAME:WRECK Vulnerability Status
On April 15th, 2021 the US Cyber Security & Infrastructure Security Agency released an alert about a set of nine vulnerabilities referred to as NAME:WRECK. Full Announcement by Forescout Research Labs can be viewed from Forescout Forescout Research Labs’ report states that FreeBSD 12.1 is...
Related topics on forums.truenas.com for thread: "NAME:WRECK - are we at risk?"
Similar threads
- Locked
