Jump to content

Critical Security Vulnerabilies Discovered


Recommended Posts

Posted

If you are running Unraid OS version 6.12.15 or later, including version 7.0.0, the following does not apply (mitigations are in place).  If you are running any earlier Unraid OS 6 release, or any version 7.0.0-rc release, please read on...

 

At Lime Technology, we are committed to the security and reliability of Unraid OS. We value collaboration with the security research community and appreciate the efforts of researchers who help us identify and address potential vulnerabilities.

 

We recently addressed vulnerabilities reported to us on Oct 23, 2024 by George Hamilton, an Offensive Security Consultant. Below is a summary of actions taken:

 

Vulnerability Overview

Immediate Actions Taken

  • Patched vulnerabilities in Unraid OS 7.0.0 and 6.12.15.
  • Released the Unraid Patch Plugin for XSS vulnerabilities if upgrading isn’t immediate.

Security Guidance

  • Update to the latest Unraid OS version.
  • Install the Unraid Patch Plugin.
  • Carefully review third-party plugin updates.

For Plugin Authors

 

We take these reports seriously and follow responsible disclosure best practices. Users are strongly encouraged to update their systems and follow security guidelines.

 

Sincere thanks to George Hamilton and the security research community for their contributions. CVE references for these vulnerabilities will be added here and to the blog post as they become available.

 

Thank you for your trust in Unraid OS.

 

  • Like 10
  • Thanks 8
Posted
26 minutes ago, limetech said:

Patched vulnerabilities in Unraid OS 7.0.0 and 6.12.15.

Thank you for being on top of these issues and addressing them.  Fortunately, all three of my Unraid servers are currently on version 7.0.0.  There are some I manage remotely for family and friends that I will need to update.

  • Thanks 3
Posted
12 minutes ago, writablevulture said:

These disclosures are appreciated, thanks.

 

For a machine on v6.12.14, does the Patch Plugin mitigate only vulnerability 1 as suggested in the blog post or all four vulnerabilities?

 

Just #1 which is necessary for all the other ones.  To be totally safe, should upgrade to 6.12.15 which adds 'samesite=strict' to the session cookie.

  • Thanks 1
Posted
On 1/22/2025 at 2:11 PM, limetech said:

 

Security Guidance

  • Update to the latest Unraid OS version.
  • Install the Unraid Patch Plugin.
  • Carefully review third-party plugin updates.

 

 

The wording makes it sound like you should install the patch plugin regardless of other actions, but my understanding from other posts is that the plugin is only for those that don't upgrade to the latest 7.x or 6.12.x version. Which is correct?

  • Upvote 1
Posted
29 minutes ago, Halstead said:

The wording makes it sound like you should install the patch plugin regardless of other actions, but my understanding from other posts is that the plugin is only for those that don't upgrade to the latest 7.x or 6.12.x version. Which is correct?

The patch plugin will/could be used for other patches in the future, There are no any patches for the latest versions as the changes are included in the install package.

Posted
7 minutes ago, SimonF said:

The patch plugin will/could be used for other patches in the future, There are no any patches for the latest versions as the changes are included in the install package.

That doesn't actually answer the question. Do you need to install the patch plugin as well as the updates or not?

Posted
55 minutes ago, Halstead said:

That doesn't actually answer the question. Do you need to install the patch plugin as well as the updates or not?

From what I understand by reading the patcher description, all it does is apply patches on top of the existing version of your usb stick, every time it boots.  It seems like a way to keep your existing stick more updated until you finally get around to updating the stick itself.  I may have misunderstood though.

Posted

 

2 hours ago, Halstead said:

The wording makes it sound like you should install the patch plugin regardless of other actions, but my understanding from other posts is that the plugin is only for those that don't upgrade to the latest 7.x or 6.12.x version. Which is correct?

We recommend that everyone running 6.10.0+ install the plugin - This includes 6.12.15 and 7.0.0

  • Like 2
Posted
5 hours ago, Squid said:

We recommend that everyone running 6.10.0+ install the plugin - This includes 6.12.15 and 7.0.0

Thanks for the clarification, it was not obvious to me that the patch plugin should be installed by every one.

  • Upvote 5
Posted (edited)

Honestly I would much more concern about the lack of hardening at all of Unraid, in addition to run docker as root, and the mess of linux users and permissions in Unraid.

Not to mention the vulnerabilities of the containers people are running, something that could be scanned easily with Docker Scout but is not either supported by Unraid.

 

Hardening:

https://www.cisecurity.org/benchmark/distribution_independent_linux

https://github.com/fgeek/harden.sh

https://docs.docker.com/engine/security/rootless/

Vulnerability and hardening scanner:

https://github.com/aquasecurity/trivy

Vulnerability scanner, easy to integrate in Unraid but only for containers:

https://docs.docker.com/scout/

 

Address at least the hardening, rootless docker (podman?) and the users/permissions mess  at least, would be to be committed with security.

Edited by L0rdRaiden

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...