A critical vulnerability in TrueNAS CORE, an open-source storage operating system developed by iXsystems, was recently disclosed by security researchers Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7. This vulnerability, identified as CVE-2024-11944, allows network-adjacent attackers to execute arbitrary code on affected installations without requiring authentication.
The discovery of this vulnerability was presented during the prestigious cybersecurity competition Pwn2Own. The flaw was found in the tarfile.extractall method used by TrueNAS CORE, where improper validation of user-supplied paths enables attackers to exploit a directory traversal vulnerability. By crafting a malicious payload, an attacker can perform unintended file operations, potentially leading to remote code execution with root privileges.
Despite the high CVSS score of 7.5 associated with this vulnerability, exploitation is complex due to its requirement for precise conditions. However, advanced attackers may leverage other security gaps to exploit this flaw and gain full control over the system, compromising the confidentiality, integrity, and availability of data stored on TrueNAS devices.
Multiple versions of TrueNAS CORE are impacted by this vulnerability, and iXsystems has confirmed its presence in the system’s default configuration. Since the flaw does not require prior authentication or user interaction, it poses a significant risk to unpatched systems in network-adjacent environments.
In response to the discovery, iXsystems has promptly released a patch to address the vulnerability. Users are strongly advised to update their systems to the latest version, TrueNAS CORE 13.0-U6.3, to mitigate the risk of exploitation. The security researchers who discovered and disclosed the vulnerability highlighted the importance of proactive security testing in identifying and addressing critical vulnerabilities.
CVE-2024-11944 underscores the challenges associated with maintaining strong security in open-source software. Administrators using TrueNAS CORE are encouraged to apply the update immediately to prevent potential exploitation. This incident serves as a reminder of the importance of regular system updates and implementing vigilant network security practices.
Moving forward, it is crucial for organizations to stay vigilant and proactive in addressing security vulnerabilities to prevent potential breaches and protect sensitive data. By staying up-to-date with security patches and practicing good cybersecurity hygiene, companies can mitigate risks posed by critical vulnerabilities like the one found in TrueNAS CORE.