SoftNAS Cloud Storage Platform Vulnerability Disclosed by Digital Defense Researchers

Digital Defense, Inc., a security technology and services provider, announced that its Vulnerability Research Team (VRT) discovered a previously undisclosed vulnerability in SoftNAS, Inc.‘s Cloud storage platform.

If customers have not followed SoftNAS deployment best practices and have openly exposed SoftNAS StorageCenter ports directly to the internet, SoftNAS Cloud Enterprise 4.2.0 is vulnerable to an authenticated bypass that could be leveraged to gain access to the web admin interface without valid user credentials. The vulnerability potentially allows an attacker to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and data. The vulnerability is not present on SoftNAS Cloud versions prior to 4.2 and is fixed in versions 4.2.2 and later.

What you can do
Information regarding the security fix can be obtained through the SoftNAS release notes. Details of the vulnerability can be found on the Digital Defense blog.

Tom DeSot, EVP and CIO, Digital Defense, said: “SoftNAS has worked closely with our VRT to ensure a fix is available to organizations utilizing the affected platform. The SoftNAS team was extremely collaborative and diligent in their rapid response to the identification of the issue, resulting in a quick resolution.“

“We’re grateful to have partnered with the Digital Defense VRT to strengthen the security of SoftNAS Cloud. The protection and security of customer data is not only of the utmost importance to the SoftNAS team but is also integral to SoftNAS’ core business mission and vision,” said Rick Braddy, co-founder and CTO, SoftNAS.

Digital Defense research methodology and practices
The Digital Defense VRT regularly works with organizations in the responsible disclosure of zero-day vulnerabilities. The expertise of the VRT when coupled with the company’s next generation hybrid SaaS Security platform, Frontline.Cloud enables early detection capabilities. When zero-days are discovered and internally validated, the VRT contacts the affected vendor to notify the organization of the new finding(s) and then assists, wherever possible, with the vendor’s remediation actions.

About Digital Defense
Serving clients across numerous industries, Digital Defense’s technology helps organizations safeguard sensitive data and eases the burdens associated with information security. Frontline.Cloud, the original Security SaaS platform, delivers accuracy and efficiencies through multiple systems including Frontline Vulnerability Manager (Frontline VM), Frontline Web Application Scanning (Frontline WAS), Frontline Active Threat Sweep (Frontline ATS) and Frontline Pen Test, while SecurED, the company’s security awareness training, promotes employees’ security-minded behavior. The Digital Defense Frontline suite of products, underpinned by patented technology and complemented with service and support, are highly-regarded by industry experts, as illustrated by the company’s designation as 2018 Global Vulnerability Management Customer Value Leadership Award, #10 ranking in Black Book Market Research’s list of Compliance and Risk Management Solutions, five-star review in SC Magazine, and inclusion in CRN‘s MSP 500.