SoftNAS Cloud Vulnerability Could Allow Hackers to Bypass Authentication

A vulnerability in SoftNAS Cloud data storage platform could allows attackers to bypass authentication and gain access to a company’s web-admin interface without valid credentials. Security vendor Digital Defense disclosed the flaw in a blog post today, and said SoftNAS worked with its Vulnerability Research Team to issue a fix. SoftNAS isn’t aware of any customer attacks resulting from the vulnerability. It’s “impossible” to know how many customers were exposed, said Jeff Russo, SoftNAS senior vice president of products. “However, the potential vulnerability could only have potentially affected a small portion of the customer base as it only existed in versions 4.2.0 and 4.2.1, which was only available for two months,” he added. “And again, only customers who did not set up their environment according to SoftNAS best practices were exposed. We stress that customers always maintain the most recent software version and to follow recommended best practices when configuring their environment.” The vulnerability is not present on SoftNAS Cloud versions prior to 4.2 and is fixed in versions 4.2.2 and later. If customers didn’t follow deployment best practices then their StorageCenter ports were left exposed to the internet. This would allow an attacker to create new users or execute arbitrary commands with administrative privileges, potentially compromising both the data and the platform.