IT News

https://www.itworld.com/article/3375199/softnas-cloud-0day-found-upgrade-asap.html

SoftNAS users should upgrade their virtual appliance immediately following the discovery of a security issue in the product's session management. Texas pen-testing outfit Digital Defense discovered the vulnerability during an engagement and coordinated disclosure with SoftNAS. Version 4.2.2 contains the relevant security patch.

"SoftNAS Cloud Enterprise 4.2.0 is vulnerable to an authenticated bypass that could be leveraged to gain access to the webadmin interface without valid user credentials," the Digital Defense advisory says. "The vulnerability potentially allows an attacker to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and data."

Typically, a SoftNAS appliance is not deployed internet-facing, mitigating the risk for users. However, an intruder already in an enterprise network would find the SoftNAS appliance a softer target than many end points and rich with backup data to exfiltrate.

"A lot of times when we're in security assessments, we tend to take a very hard look at backup and network-attached storage systems," Mike Cotton, vice president of research and development at Digital Defense, tells CSO. "They house a lot of critical information from hundreds of systems potentially."