What's up with pkg audit results?

[toolforger]

I found advice to use "pkg audit -F", and got flags about 20 packages for Freenas and 8 for a jail.
I didn't install anything, all the software in the system was chosen and installed by Freenas itself.

Now I'm seriously worried about the project's security commitment.
Should I be?

 

[Ericloewe]

Are there any specific concerns? Packages get updated for major releases, unless there's a reason to patch something in a minor update, much like the base system.

 

[Jailer]

FreeNAS is not intended to be exposed to the networks WAN so unless there is something specific that concerns you I wouldn't worry much about it.

 

[toolforger]

Are there any specific concerns? Packages get updated for major releases, unless there's a reason to patch something in a minor update, much like the base system.

Having software with a CVE is a massive convern.
Of course you can make sure that a CVE does not affect the software as installed and configured. Usually that's more work than simply rolling out a software update, possibly after some smoke testing.

FreeNAS is not intended to be exposed to the networks WAN so unless there is something specific that concerns you I wouldn't worry much about it.

Well, I have the specific concern that security is my top priority.
The attack vector I'm concerned about is ransomware infecting one of our PCs, and attacking Freenas as well. Not today or tomorrow, but the Black Hats will start turning their attention to Freenas, either because Freenas gets a substantial installation share or because other NAS systems are already exploited (NAS exploits have happened in the past already). And once that happens I won't be able to quickly replace Freenas with something secure.

Note that some of the data I've been planning to put on Freenas is so important that losing it would concern me more than losing several months of income.
The diligence level needed to make a software package adequate for trusting it with that kind of relevance is probably beyond the scope.
Please tell me that doing updates is within scope... Freenas isn't going to be a viable solution for me if this isn't the case.

 

[Ericloewe]

On whatever old nightly my backup server is on, I see:

• python 2.7 - Not a concern. If someone is running python on your server, they probably have root already. All the vulnerabilities seem to revolve around libexpat, which parses XML, which is not something FreeNAS uses. Should be patched, but it's not extremely urgent.
  
• curl - both seem fairly benign. One is a client-side vulnerability, the other is DoS more than anything.
• gcrypt - side-channel, so they're logged in locally and thus probably have root anyway
• nghttp2 - DoS.
• gnupg - unsanitized inputs may be output to the terminal. Doesn't seem like a concern in FreeNAS.
• perl - These sound nasty, but it's the same situation as python - if they're running arbitrary perl, they probably got your SSH key first.
• openSSL - Side-channel and a client DoS.
  
• wget - cookie injection vulnerability. Somewhat troubling.
• git - one only affects NTFS (ha!), the other requires a malicious project. I'm not sure why git is installed in the first place, though...

 

[toolforger]

Thanks, that's a good writeup.

curl seems actually troubling, Freenas is fetching updates from freenas.org, so it's acting as a client. And attacher would have to install a man-in-the-middle attack for that to be a real concern, or hack freenas.org (in which case I'm hosed anyway), so it's a somewhat complicated attack.

The rest - meh.

But... I'm pretty sure we're overlooking details, and each detail could be a security hole. I.e. if an attacker has cracking Freenas on the agenda, he can say "pkg audit -F" and start toying with the CVEs; I'd expect a dedicated team to get something running within days or weeks (and maybe even hours).

Given that a competent analysis would take days, it's probably better to just plug the holes, relevant or not.

Which brings me to the question: Is there a chance that Freenas will switch to automatic security updates anytime soon?
Given that Freenas is currently not a target, and unlikely to become a target anytime soon, it's okay for me if this takes a while, but I wouldn't want to wait indefinitely for that.
Say, a handful of months would be fine, a year would be what I'd expect, multiple years would make me think it's not going to happen until the first attacks succeed and that would be too risky for my use case.

 

[Jailer]

if an attacker has cracking Freenas on the agenda, he can say "pkg audit -F" and start toying with the CVEs;

But they would already have to have access to FreeNAS to run a command like that in which case you've got bigger problems then a CVE vulnerability.

Is there a chance that Freenas will switch to automatic security updates anytime soon?

I hope they never do. I don't want any updates installed on my box until they've been vetted a bit. A lot of sysadmins will likely agree with me on this as well.

 

[Ericloewe]

But they would already have to have access to FreeNAS to run a command like that in which case you've got bigger problems then a CVE vulnerability.

Well, they could install FreeNAS in a VM and run pkg audit in there.

Which brings me to the question: Is there a chance that Freenas will switch to automatic security updates anytime soon?
Given that Freenas is currently not a target, and unlikely to become a target anytime soon, it's okay for me if this takes a while, but I wouldn't want to wait indefinitely for that.
Say, a handful of months would be fine, a year would be what I'd expect, multiple years would make me think it's not going to happen until the first attacks succeed and that would be too risky for my use case.

Automatic updates are messy. Microsoft gets away with it on Windows (barely) because the average user is too incompetent to be trusted with anything. Same goes for smartphones and tablets running phone OSes.

Keeping up with FreeNAS updates includes the security stuff. If there's something troubling that has been missed, the devs are more than likely to be glad to roll it up into a minor update.

 

[toolforger]

Well, they could install FreeNAS in a VM and run pkg audit in there.

Yep, that's what hackers do.
After that, they're going to check what exactly was changed to fix the CVE, so they know exactly what code caused the problem, and write their exploit to leverage the issue.

Automatic updates are messy. Microsoft gets away with it on Windows (barely) because the average user is too incompetent to be trusted with anything. Same goes for smartphones and tablets running phone OSes.

Automatic updates can fail.
However, the process is well-established in the Linux area, where most if not all distributions have something in place. And it works well, I've been running a Linux server and a Linux PC for more than a decade now, and it was never the updates that failed me. (Updates used to fail for Suse in the nineties, but that's quite a while ago now and they had a messed-up approach to system management anyway.)

Keeping up with FreeNAS updates includes the security stuff. If there's something troubling that has been missed, the devs are more than likely to be glad to roll it up into a minor update.

Is there a process that makes sure that minor updates get applied?
A mailing list just for update announcements would be good if Freenas isn't ready for automatic updates.

 

[Ericloewe]

FreeNAS emails you whenever there's an update available.

 

[toolforger]

Ah, at least that's good.
Now I "just" have to monitor how quickly important CVEs are fixed.
Which is a bit hard to do for me because I don't know enough about the internals to really judge that.
This is all a bit unfortunate, and I'm not feeling very well with that - just the feeling of helplessness one gets when Buffalo tells me "our boxes are employing the latest-and-greatest security technology".
Ah well. Seems like that's what I'm going to get unless I pay real dollars.

 

[Ericloewe]

I'm not sure you get better, regardless of how much you pay, unless you roll your own stuff.

 

[toolforger]

Oh, I'm pretty sure the quality exists and can be bought.
The problem is that I would be unable to distinguish the high-quality products from the merely highly-priced ones. I could ask uncomfortable questions, but I know for a fact that a good salesperson could lie to me left and right and I wouldn't notice a thing.
At least Freenas is Open Source, so until I can shell out a five-digit price (not gonna happen) that's the best option.
Still, I'd like the thing to go for auto-updates. It would be some serious effort, hardening the update server, setting up a serious test suite, surviving the shitstorms with the many minor and (hopefully very) few major issues that will come until the auto-update process settles in... but it's something I'd really want.
Actually Freenas already has better safety nets than any Linux I have seen: OS and data medium are separate (unless you work against the system, and these guys get what they deserve because they wanted it), it can import existing ZFS pools, it can safe and restore the full configuration data, and the OS medium itself is running off a ZFS snapshot, and updates are done via ZFS snapshotting. If something goes wrong, there's a multitude of ways to get back to a last known good configuration.
Installing an autoupdater would still be work, of course, but it would be far less risky than for Linux or (heaven forbid!) Windows.

 

[jclendineng]

First off, you have full control over jails. If that is your concern...you can tinker with packages to your hearts content. FreeNAS is a system that you don't really want to do that with on the base OS since it's so tightly integrated. If you really want what you are saying, BSD is still free :) a lot of people roll their own NAS using BSD from the command line. That way you have utter control over everything, pkg included. Freenas is secure enough, BSD is pretty secure and its not a gateway, you have a firewall for that stuff. Ports are not open. Its all good :) its sitting on your LAN safer than your windows PC. But Jails, yes you have full control over them.

Edit: Plugins you do not because they are a plugin, you cannot update them either. Id stay away from plugins for the long term, and build the apps in a jail. That way you can update them. Plugins are a bad idea anyways simply because, while you can patch, the plugin creators do not. Jails can be updated regularly and you get to learn BSD :D always a plus.

 

[toolforger]

If doing everything my own way were a option I could consider seriously, I wouldn't have started with Freenas in the first place.
Agreeing about jails vs. plugins. Though the real argument isn't the issue with plugin updates, it's the issue with independence from the base system. Though I toyed a bit with concepts and am not too comfortable with setting up an entire webserver ecosystem. It's going to be easy to do, but I'd have to roll my own reinstall-from-scratch mechanism, something I'm not looking forward to. That said, I will be able to do so, it's just yet another distraction from what I really want to get done and over with.