Media streaming and sharing service addresses phish to system compromise risk

UPDATED Security researchers uncovered vulnerabilities in Plex that created a means for attackers to compromise devices or access private video or picture files on a vulnerable server.

All three vulnerabilities in the systems, discovered by network security tools firm Tenable, have been patched.

The Plex application allows users to organize and stream their own media through a Netflix-like experience. Users can share personal media libraries among friends as well as discovering related content from traditional streaming sources.

The technology has become increasingly popular during lockdown, prompting security researchers at Tenable to put it under the microscope.

From three-card phish to system pwnage

The researchers discovered that, when chained together, the trio of flaws allowed an attacker to move from a successful phishing attack to taking full system privileges.

The first vulnerability (CVE-2020-5742) arises because if users are sent a link to access someone else’s media, it‘s unclear if they’re logging into their own server or the attacker’s via a phishing link.

The security weakness – the result of a weak cross-origin resource sharing (CORS) policy – makes it easy for attackers to trick potential marks into handing over their login credentials.

While the first vulnerability is a cross platform problem the second link in the chain is restricted to Windows systems. This vulnerability (CVE-2020-5741) means that an attacker could obtain access to an admin authentication token that would allow them to execute arbitrary code remotely with the same privileges as the media server.

This second flaw creates a means to attack other systems on the same network.

The third vulnerability (CVE-2020-5740), also limited to Windows, represents a local privilege escalation to SYSTEM risk.

“By chaining these three vulnerabilities together, an attacker can move from a successful phishing attack to full SYSTEM privileges,” Tenable explains in a blog post summarising its main findings.

Tenable researcher Chris Lyne told The Daily Swig that, left unresolved, the vulnerabilities might be abused to hack into other devices on the same network

"An attacker could use the vulnerabilities in Plex to reach other connected devices within the home network,” Lyne explained. “After gaining code execution via the Plex vulnerabilities, the attacker would be able to communicate with these devices and potentially pivot to them.

“To move laterally, a separate vulnerability or misconfiguration in another device would likely be required," he added.

More details on the security weaknesses can be found in a technical blog post by the firm.

All three vulnerabilities in Plex Media Server affect versions prior to 1.18.2. Plex has released patches for CVE-2020-5740 and CVE-2020-5741. Auto-updates are not enabled by default, but users can enable this within their settings.

Plex also applied a mitigation for the phishing vulnerability that alerts users when they are logging into a server that is not hosted by Plex.

Full disclosure

Tobias Hieta, security team lead at Plex, praised Tennable’s “high quality security reports”.

“They did a great job finding some real nasty exploits,” he said in a Twitter post.

Lyne explained that he began looking into technology after hearing someone discuss accessing their Plex hosted media from a mobile device and realizing it might be an interesting target from a security perspective.

Tenable is yet to access comparable technologies and was therefore unable to offer an assessment of whether or not Plex was better or worse than its peers.

"Tenable Research hasn't explored other streaming services to date," Lyne said. "Plex’s product security team handled the coordinated disclosure well."

This story has been updated to add comment from Tenable researcher Chris Lyne.

YOU MIGHT ALSO LIKE Flaw in property inventory website exposed thousands of users’ home contents