Coordinated Vulnerability Disclosure

At Lime Technology, we are committed to the security and reliability of Unraid OS. We value collaboration with the security research community and appreciate the efforts of researchers who help us identify and address potential vulnerabilities. 

Below is a detailed disclosure of recent vulnerabilities reported by George Hamilton, an Offensive Security Consultant, along with the measures we have taken to address them.

Overview

This disclosure summarizes vulnerabilities in Unraid OS and related components, detailing their potential impacts, resolutions, and acknowledgments to the researchers. 

All users are strongly encouraged to update their systems to the latest version of Unraid OS to ensure their security.

Vulnerability 1: Reflected Cross-Site Scripting (XSS)

Description

This critical vulnerability allows potential attackers to inject JavaScript via URL parameters in the Unraid web interface. Exploitation could result in code execution as the root user on the Unraid server.

Details

• Type: Reflected Cross-Site Scripting (XSS)
• Impact: Code Execution
• Attack Vector: Exploited via the name parameter in Device Settings and the dir parameter in the Share Browser.
• Affected Versions: 6.12.13 and earlier
• Resolution: Fixed in version 6.12.14 and 7.0.0. If you are unable to upgrade the server now, an Unraid Patch Plugin is available to address this issue in earlier versions. This should be considered a stop-gap until you can upgrade, not a long-term mitigation.

Acknowledgments

George Hamilton

Mitigation

Users should update to version 7.0.0, 6.12.15, or apply the Unraid Patch Plugin as a stop-gap measure until they can upgrade.

Vulnerability 2: Cross-Site Request Forgery (CSRF)

Description

A Cross-Site Request Forgery (CSRF) vulnerability in Lime Technology, Inc.'s Unraid OS version 6.12.14 and earlier allows remote attackers to initiate authenticated GET requests to the Unraid OS web interface through top-level navigation via the Unraid authentication cookie's "Lax" same-site policy.

Details

• Type: Cross-Site Request Forgery (CSRF)
• Impact: Potential for session hijacking and code execution
• Attack Vector: Relies on XSS vulnerabilities combined with CSRF.
• Affected Versions: 6.12.14 and earlier
• Resolution: Fixed in version 6.12.15 and Unraid 7.0.0. Session cookies were updated from "Lax" to "Strict", mitigating cross-site scripting and CSRF.

Acknowledgments

George Hamilton

Mitigation

Users should update to version 6.12.15 or 7.0.0 to fully address this vulnerability.

Vulnerability 3: Stored Cross-Site Scripting (XSS)

Description

This low-risk vulnerability allowed attackers with authenticated access to inject JavaScript payloads, which could persist in various web interface fields.

Details

• Type: Stored Cross-Site Scripting (XSS)
• Impact: Code Execution
• Attack Vector: Injection of JavaScript payloads into server and user fields.
• Affected Versions: 6.12.13 and earlier
• Resolution: Fixed in version 6.12.14 and 7.0.0. Guidance was also provided to plugin authors to ensure compliance with new security measures. 

Acknowledgments

George Hamilton

Mitigation

Upgrade to Unraid 6.12.15 or 7.0.0. 

Vulnerability 4: Community Applications Repository Takeover

Description

GitHub repositories used by the Community Applications app feed could be transferred to another owner, opening the possibility of hijacking the application templates.

Details

• Type: Improper Access Control
• Impact: Code Execution
• Attack Vector: Requires an attacker to transfer a GitHub repository associated with a Community Application, which could then be used to submit malicious templates to the feed. 
• Affected Versions: Application feed prior to 11/12/2024
• Resolution: Policies were hardened around renaming repositories. Updates to the Community Application Feed backend deployed on 11/12/2024 resolved this issue.

Acknowledgments

George Hamilton

Mitigation

The Community Applications app feed now detects repository transfers and blocks for manual review. No action needed by users, although we recommend upgrading to the latest Community Applications plugin.

Conclusion

We take these reports very seriously and have worked diligently to address them promptly following best practices around responsible disclosure. 

Users are strongly advised to:

• Update to Unraid 7.0.0 or 6.12.15.
• Download the Unraid Patch Plugin for XSS vulnerabilities if unable to upgrade immediately.
• Follow best practices for security, such as carefully reviewing third-party plugin updates.

New security guidance was also sent to plugin authors so they could check to ensure all plugins are properly implementing these measures as well. 

For additional guidance, visit our forum post or refer to the Unraid Patch Plugin.

We would like to thank George Hamilton and the security research community for their contributions to keeping Unraid OS secure. Once CVE's have been created, we will add them here.