*New 11.4 series Release:
2020-07-03: XigmaNAS 11.4.0.4.7633 - released!

*New 12.1 series Release:
2020-04-17: XigmaNAS 12.1.0.4.7542 - released


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

Security Incident on FreeBSD Infrastructure

General information about XigmaNAS
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
knotworking
Starter
Starter
Posts: 18
Joined: 17 Nov 2012 13:35
Status: Offline

Security Incident on FreeBSD Infrastructure

#1

Post by knotworking »

Does this effect any of the recent NAS4Free builds?
http://www.freebsd.org/news/2012-compromise.html

Sounds like only third party packages could have been compromised. I'm looking to upgrade to the latest build (I haven't touched my box since July), this security alert just caught my eye & made me think I might want to wait on that.

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: Security Incident on FreeBSD Infrastructure

#2

Post by daoyama »

knotworking wrote:Does this effect any of the recent NAS4Free builds?
http://www.freebsd.org/news/2012-compromise.html

Sounds like only third party packages could have been compromised. I'm looking to upgrade to the latest build (I haven't touched my box since July), this security alert just caught my eye & made me think I might want to wait on that.
It seems a user using 'pkg_add XXX' is affected.
But NAS4Free build step does not use pkg_add.
Also I use only portsnap fetch & update.

However, to clean the build environment, I have reverted to the snapshot of RC1 without ports, then upgrade it to RC3 again, then portsnap fetch & extract.
The src is fetched by subversion instead of cvsup/csup.
We should not use cvsup or csup at this time.

Daisuke Aoyama
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

User avatar
alexey123
Moderator
Moderator
Posts: 1560
Joined: 19 Aug 2012 08:22
Location: Israel, Karmiel
Contact:
Status: Offline

Re: Security Incident on FreeBSD Infrastructure

#3

Post by alexey123 »

Nas4Free not have any strangle - as for me, after check logs.
But in friday I was lost 2 Ubuntu - on 2 machines I was see some problem as broken /tmp. hmmmm, :evil:
Update:
Checked all logs on 2 servers - not finded any problem.
Crash Ubuntu on laptop - fault keyboard, repaired.
Crash Ubuntu on desktop - probably hard disk or hard disk controller problem. I'll re-install it at weekend.
Last edited by alexey123 on 19 Nov 2012 07:20, edited 1 time in total.
Home12.1.0.4 - Ingva (revision 7091)/ x64-embedded on AMD A8-7600 Radeon R7 A88XM-PLUS/ 16G RAM / UPS Ippon Back Power Pro 600
Lab 12.1.0.4 - Ingva (revision 7091) /x64-embedded on Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz / H61M-DS2 / 4G RAM / UPS Ippon Back Power Pro 600

User avatar
zoon01
Developer
Developer
Posts: 799
Joined: 20 Jun 2012 21:06
Location: Netherlands
Contact:
Status: Offline

Re: Security Incident on FreeBSD Infrastructure

#4

Post by zoon01 »

Here some updated info:

No part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages. No evidence of this has been found during in-depth analysis, however the FreeBSD Project is taking an extremely conservative view on this and is working on the assumption that third-party packages generated and distributed within a specific window could theoretically have been modified.
System specs: XigmaNAS 11.2.0.4 -embedded on Samsung 860 EVO 256GB and Supermicro X10SL7-F w / Bios v3.2, IPMI v.03.86 / CPU E3-1241 v3 @ 3.50GHz - 32GB Crucial DDR3L 1600mhz ECC 1.35v , LSI 2308 on PH20.00.07.00 IT mode, Storage: 5x Western Digital Red (WD30EFRX) raidz

Development system is same system in virtualbox.

User avatar
misterredman
Forum Moderator
Forum Moderator
Posts: 184
Joined: 25 Jun 2012 13:31
Location: Switzerland
Status: Offline

Re: Security Incident on FreeBSD Infrastructure

#5

Post by misterredman »

daoyama wrote:However, to clean the build environment, I have reverted to the snapshot of RC1 without ports, then upgrade it to RC3 again, then portsnap fetch & extract.
The src is fetched by subversion instead of cvsup/csup.
We should not use cvsup or csup at this time.
I saw that the jail howto in the wiki ( http://wiki.nas4free.org/doku.php?id=do ... owto:jails ) still uses csup (for the Advanced topic section where you rebuild world inside the jail). Wouldn't it be better to also use subversion in the future?
NAS1: Pentium E6300 - Abit IP35Pro - 4GB RAM - Backup of NAS2
NAS2: Core 2 Quad Q9300 - Asus P5Q-EM - 8GB RAM
pyload - flexget - tvnamer - subsonic - owncloud - crashplan - plex media server

User avatar
daoyama
Developer
Developer
Posts: 422
Joined: 25 Aug 2012 09:28
Location: Japan
Status: Offline

Re: Security Incident on FreeBSD Infrastructure

#6

Post by daoyama »

misterredman wrote: I saw that the jail howto in the wiki ( http://wiki.nas4free.org/doku.php?id=do ... owto:jails ) still uses csup (for the Advanced topic section where you rebuild world inside the jail). Wouldn't it be better to also use subversion in the future?
Yes. It must use SVN. Also, no longer requires /jail/conf/root/. It is included in 9.1.0.1.454 and later.

Daisuke Aoyama
NAS4Free 10.2.0.2.2115 (x64-embedded), 10.2.0.2.2258 (arm), 10.2.0.2.2258(dom0)
GIGABYTE 5YASV-RH, Celeron E3400 (Dual 2.6GHz), ECC 8GB, Intel ET/CT/82566DM (on-board), ZFS mirror (2TBx2)
ASRock E350M1/USB3, 16GB, Realtek 8111E (on-board), ZFS mirror (2TBx2)
MSI MS-9666, Core i7-860(Quad 2.8GHz/HT), 32GB, Mellanox ConnectX-2 EN/Intel 82578DM (on-board), ZFS mirror (3TBx2+L2ARC/ZIL:SSD128GB)
Develop/test environment:
VirtualBox 512MB VM, ESXi 512MB-8GB VM, Raspberry Pi, Pi2, ODROID-C1

Post Reply

Return to “GENERAL INFORMATION”