Fortigate Rules Plex Media Server

FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortiSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch. Different FortiGate models support remote management for varying numbers of FortiSwitches, as shown. All the menu items below the PLEX WEB section are gone, such as: PLEX-SRV-NAME, STATUS, SETTINGS, and MANAGE. NOTE: Navigating back to Settings and viewing the Authorized Devices it now displays the Plex Media Server/PC/Win10.0 (Build 17763) so, now I have two (2) authorized devices. At this point, I can only navigate limited menu items.

Plex has patched and mitigated three vulnerabilities affecting Plex Media Server for Windows that could enable attackers to take full control of the underlying system when chained together.

Plex Media Server is a desktop app and the backend server for the Plex media streaming service, designed for streaming movies, TV shows, music, and photo collections to over the Internet and on local area networks.

The three vulnerabilities tracked CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742 were found by Tenable security researcher Chris Lyne and reported to Plex on May 31st.

Rules

If attackers chain together exploits for all these security flaws, they could remotely execute code as SYSTEM, fully taking over the operating system, gain access to all files, deploy backdoors, or move laterally to other devices on the same network.

The Plex Security Team rolled out patches for CVE-2020-5740 on April 24 and for CVE-2020-5741 on May 7, and mitigated CVE-2020-5742 via server-side changes.

Phishing attacks leading to system takeover

According to a proof-of-concept attack described by Lyne here, threat actors who would want to take control of machines running unpatched Plex Media Server installation would have to start with a phishing email disguised as an email notification and designed to redirect the targeted Plex admin users to an attacker-controlled Plex Media Server.

If they fall for their trick and log into the malicious server, 'the attacker can forge requests to the victim’s media server' by abusing the weak cross-origin resource sharing (CORS) policy bug behind CVE-2020-5742 to steal their X-Plex-Token.

Fortigate

Even if the attack stops here, the malicious actors would still have access to the victims' private media, and gain the capability to change server settings, restart reboot media server services, and more.

'As of June 15, 2020, Plex has deployed a mitigation on authentication pages server side to notify users if they are logging into an application not hosted by Plex,' Tenable explains.

In the next step, attackers would have to use the stolen admin authentication token to execute arbitrary Python code remotely with the privileges of the media server by exploiting the CVE-2020-5741 flaw in the Plex Media Server plugin framework.

This would enable them to install backdoors on the compromised systems, as well as pivot to other devices on the server's local area network.

Next, the attackers have to exploit the CVE-2020-5740 vulnerability to elevate their privileges to SYSTEM on Windows systems, effectively completely taking over the underlying system and gaining access to all the files.

'After a successful phishing attack, using the acquired X-Plex-Token, CVE-2020–5741 could be exploited to execute code with the privileges of the media server process,' as Lyne explains.

'The level of access could then be escalated to SYSTEM by exploiting CVE-2020–5740 in the Plex Update Service. At this point, the media server would be completely compromised.'

Update to the latest version to mitigate

To make sure that their servers are safe from attacks designed to exploit these flaws, users are urged to update the latest version.

'We have rolled out a change in our update distribution servers. This change will protect Plex Media Server version 1.18.2 or newer,' the Plex Security Team said. 'Plex Media Server installations older than 1.18.2 will still be exploitable and we highly encourage users on older releases to upgrade.'

'Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilities. We recommended for all users to update to one of these releases.'

Plex also mitigated CVE-2020-5742 by enabling automatic alerts on authentication pages server-side to notify Plex users when they are logging into a media server that's not hosted by Plex.

'Plex Media Server will not automatically update by default but users can enable this within their settings,' Tenable also explains. 'Users can always check the general settings page to see if new updates are available.

More technical information on the inner workings of these three vulnerabilities can be found in Tenable's security advisories:

Fortigate Rules Plex Media Server

• Local privilege escalation in Plex Update Service (CVE-2020-5740)

Fortigate Rules Plex Media Server Login

• Auth Python Deserialization RCE (CVE-2020-5741)

Fortigate Rules Plex Media Server Download

• Weak CORS Policy (CVE-2020-5742)

Fortigate Rules Plex Media Server Free

More details on how these vulnerabilities could be chained and abused by attackers to fully compromise servers running Plex Media Servers versions older than 1.18.2 can be found within Lyne's blog post.

Related Articles: