SoftNAS vulnerability lets attackers bypass authentication
Researchers have uncovered a vulnerability in the SoftNAS Cloud data storage platform that could be used to gain access to the webadmin interface without valid user credentials.
Security technology company Digital Defense found the previously undisclosed vulnerability which arises if customers have not followed SoftNAS deployment best practices and have openly exposed SoftNAS StorageCenter ports directly to the internet.
SoftNAS provides a software-defined cloud NAS for AWS, Microsoft Azure and Vmware among others, so it's widely deployed in many businesses. The vulnerability only affects SoftNAS Cloud versions 4.2.0 and 4.2.1. A patch is available for download via Software Update in the SoftNAS appliance web interface. The vulnerability is not present in versions prior to 4.2 and is fixed from 4.2.2.
"SoftNAS has worked closely with our Vulnerability Research Team to ensure a fix is available to organizations utilizing the affected platform," says Tom DeSot, EVP/CIO at Digital Defense. "The SoftNAS team was extremely collaborative and diligent in their rapid response to the identification of the issue, resulting in a quick resolution."
More information is available in the 4.2.2 release notes.
"We're grateful to have partnered with the Digital Defense VRT to strengthen the security of SoftNAS Cloud. The protection and security of customer data is not only of the utmost importance to the SoftNAS team but is also integral to SoftNAS' core business mission and vision," says Rick Braddy, SoftNAS Co-Founder and CTO.