limetech Posted January 22 Posted January 22 If you are running Unraid OS version 6.12.15 or later, including version 7.0.0, the following does not apply (mitigations are in place). If you are running any earlier Unraid OS 6 release, or any version 7.0.0-rc release, please read on... At Lime Technology, we are committed to the security and reliability of Unraid OS. We value collaboration with the security research community and appreciate the efforts of researchers who help us identify and address potential vulnerabilities. We recently addressed vulnerabilities reported to us on Oct 23, 2024 by George Hamilton, an Offensive Security Consultant. Below is a summary of actions taken: Vulnerability Overview Details available in our blog post. Immediate Actions Taken Patched vulnerabilities in Unraid OS 7.0.0 and 6.12.15. Released the Unraid Patch Plugin for XSS vulnerabilities if upgrading isn’t immediate. Security Guidance Update to the latest Unraid OS version. Install the Unraid Patch Plugin. Carefully review third-party plugin updates. For Plugin Authors New security guidance has been issued to ensure compliance with best practices. For details, visit the Security Guidelines for Plugins. We take these reports seriously and follow responsible disclosure best practices. Users are strongly encouraged to update their systems and follow security guidelines. Sincere thanks to George Hamilton and the security research community for their contributions. CVE references for these vulnerabilities will be added here and to the blog post as they become available. Thank you for your trust in Unraid OS. 10 8 Quote
Hoopster Posted January 22 Posted January 22 26 minutes ago, limetech said: Patched vulnerabilities in Unraid OS 7.0.0 and 6.12.15. Thank you for being on top of these issues and addressing them. Fortunately, all three of my Unraid servers are currently on version 7.0.0. There are some I manage remotely for family and friends that I will need to update. 3 Quote
Daniel15 Posted January 22 Posted January 22 How do we report security issues? Do we just email [email protected] after reserving a CVE ID? I can't seem to find a security contact on the Unraid site. Quote
limetech Posted January 22 Author Posted January 22 16 minutes ago, Daniel15 said: How do we report security issues? Do we just email [email protected] after reserving a CVE ID? I can't seem to find a security contact on the Unraid site. Creating a ticket is preferred but there is also a "General Inquiries" email option: [email protected]. 2 Quote
writablevulture Posted January 22 Posted January 22 These disclosures are appreciated, thanks. For a machine on v6.12.14, does the Patch Plugin mitigate only vulnerability 1 as suggested in the blog post or all four vulnerabilities? 1 Quote
limetech Posted January 23 Author Posted January 23 12 minutes ago, writablevulture said: These disclosures are appreciated, thanks. For a machine on v6.12.14, does the Patch Plugin mitigate only vulnerability 1 as suggested in the blog post or all four vulnerabilities? Just #1 which is necessary for all the other ones. To be totally safe, should upgrade to 6.12.15 which adds 'samesite=strict' to the session cookie. 1 Quote
SinisterSpatula Posted January 23 Posted January 23 As a new subscriber I really appreciate the way this was handled and communicated. And big thanks to the researchers out there keeping us all safe. Unraid rocks 🥰 2 Quote
BraveDevotion Posted January 23 Posted January 23 (edited) Planning on updating all servers that are not on V7 but none is accessible publicly so a bit less risky correct? Edited January 23 by BraveDevotion Quote
Halstead Posted January 23 Posted January 23 On 1/22/2025 at 2:11 PM, limetech said: Security Guidance Update to the latest Unraid OS version. Install the Unraid Patch Plugin. Carefully review third-party plugin updates. The wording makes it sound like you should install the patch plugin regardless of other actions, but my understanding from other posts is that the plugin is only for those that don't upgrade to the latest 7.x or 6.12.x version. Which is correct? 1 Quote
SimonF Posted January 23 Posted January 23 29 minutes ago, Halstead said: The wording makes it sound like you should install the patch plugin regardless of other actions, but my understanding from other posts is that the plugin is only for those that don't upgrade to the latest 7.x or 6.12.x version. Which is correct? The patch plugin will/could be used for other patches in the future, There are no any patches for the latest versions as the changes are included in the install package. Quote
Halstead Posted January 23 Posted January 23 7 minutes ago, SimonF said: The patch plugin will/could be used for other patches in the future, There are no any patches for the latest versions as the changes are included in the install package. That doesn't actually answer the question. Do you need to install the patch plugin as well as the updates or not? Quote
SinisterSpatula Posted January 24 Posted January 24 55 minutes ago, Halstead said: That doesn't actually answer the question. Do you need to install the patch plugin as well as the updates or not? From what I understand by reading the patcher description, all it does is apply patches on top of the existing version of your usb stick, every time it boots. It seems like a way to keep your existing stick more updated until you finally get around to updating the stick itself. I may have misunderstood though. Quote
Squid Posted January 24 Posted January 24 2 hours ago, Halstead said: The wording makes it sound like you should install the patch plugin regardless of other actions, but my understanding from other posts is that the plugin is only for those that don't upgrade to the latest 7.x or 6.12.x version. Which is correct? We recommend that everyone running 6.10.0+ install the plugin - This includes 6.12.15 and 7.0.0 2 Quote
ChatNoir Posted January 24 Posted January 24 5 hours ago, Squid said: We recommend that everyone running 6.10.0+ install the plugin - This includes 6.12.15 and 7.0.0 Thanks for the clarification, it was not obvious to me that the patch plugin should be installed by every one. 5 Quote
ljm42 Posted January 24 Posted January 24 10 hours ago, ChatNoir said: Thanks for the clarification, it was not obvious to me that the patch plugin should be installed by every one. Sorry for the confusion, I posted a more detailed reply here: https://forums.unraid.net/topic/185560-unraid-patch-plugin/page/2/#findComment-1516878 and updated the OP of that thread 2 Quote
L0rdRaiden Posted January 24 Posted January 24 (edited) Honestly I would much more concern about the lack of hardening at all of Unraid, in addition to run docker as root, and the mess of linux users and permissions in Unraid. Not to mention the vulnerabilities of the containers people are running, something that could be scanned easily with Docker Scout but is not either supported by Unraid. Hardening: https://www.cisecurity.org/benchmark/distribution_independent_linux https://github.com/fgeek/harden.sh https://docs.docker.com/engine/security/rootless/ Vulnerability and hardening scanner: https://github.com/aquasecurity/trivy Vulnerability scanner, easy to integrate in Unraid but only for containers: https://docs.docker.com/scout/ Address at least the hardening, rootless docker (podman?) and the users/permissions mess at least, would be to be committed with security. Edited January 24 by L0rdRaiden Quote
starbetrayer Posted January 25 Posted January 25 Boy this is how you handle communication on vulnerabilities. Great job. 2 Quote
warpspeed Posted January 25 Posted January 25 (edited) Edit: re-posted in the correct thread: Edited January 25 by warpspeed Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.