One of the most popular media servers on the internet, Plex, has patched an important bug which potentially could have allowed attackers to exploit its servers in order to deliver denial-of-service attacks (DDoS). Plex, which enables users to stream video, music and photos from their home computer to their smartphone or other devices, acknowledged the bug in a forum post and said that users would need to download the latest version of the software before DDoS attacks could be launched against them. The vulnerability was discovered by GreatHorn Inc., a US-based threat intelligence firm.
What is a Plex Media Server?
A Plex Media Server is a computer that stores all your media (images, videos, etc.) and makes it available to other devices on your network. You can view your media on any device that has a Plex app installed. So if you want to watch Netflix on your phone or listen to music from iTunes on the PC in the living room, you just open up the appropriate app. If a Plex server bug was exploited by hackers, they could create excessive load on the server until it crashes.
After crashing, they would have access to all of your personal data on the machine. Fortunately for those using the service’s features without concern for security, this bug has been patched. The patch comes after an independent researcher contacted Plex about his findings earlier this month. It’s likely that with this patch out there will be less of these kinds of attacks targeting users with unsecured servers.
A recent update to the Plex media server has patched a serious vulnerability that could have allowed attackers to launch distributed denial of service (DDoS) attacks. The bug, which was discovered by security researchers at RedTeam Pentesting, affects versions of the software prior to 126.96.36.199. When it is exploited, an attacker can remotely execute code on the victim’s machine and take control of their computer.
Researchers determined they could use this exploit to flood targeted networks with requests in an attempt to overwhelm them and render them unusable for legitimate traffic. While Plex said the vulnerability had not been used in any real-world cases as of yet, it urged users to update their servers immediately.
On November 14th, Plex released a patch for a major bug in their media server software. The bug could have allowed attackers to mount a distributed denial of service (DDoS) attack against the server. The patch corrects the flaw and prevents future attacks. However, it’s unclear if any servers were actually attacked before the patch was issued.
Despite this, there is always risk involved with running a public-facing computer with internet access. Users should remain vigilant about ensuring that their devices are patched as soon as possible when vulnerabilities are discovered. One potential way to mitigate the risk of an attack is by using a firewall to limit inbound connections from unauthorized sources.
How Attackers Exploited the Bug
Hackers were able to exploit a flaw in the Plex media server software to turn it into a tool for launching distributed denial of service (DDoS) attacks. The bug was discovered by security researchers at McAfee, who reported it to Plex. The attack worked by sending a specially crafted request to the server that caused it to enter an infinite loop. This caused the server to become unresponsive and unavailable, crashing any applications that were running on it.
The attackers could then use the server to amplify their DDoS attacks. A user would need to be tricked into visiting a web page with malicious code embedded within it. That code would cause the browser to connect to the targeted server and instruct it to go into an infinite loop. Other servers would be recruited from infected clients’ IP addresses. These machines would eventually crash due to the processing power required for such an attack.
If you are running a Plex media server, it is important to update to the latest version as soon as possible. A major bug has been discovered that could be exploited by attackers to launch distributed denial of service (DDoS) attacks.
The flaw was identified and patched by Plex, but because the vulnerability can still be exploited until people upgrade their software, there is still risk for DDoS attack. What is most disturbing about this attack vector is how simple it would have been for an attacker to execute this type of exploit, and how widespread the potential damage from such an attack would have been. One only needs to create an empty file with code in its name on the Plex directory, which will result in continuous requests on TCP port 32400.
The reason this is so dangerous is that instead of one large request with high bandwidth and relatively low latency like what might happen in a traditional DDoS attack, these smaller requests are sent at a much higher frequency with lower latency. To put it simply: These types of requests take up far more capacity than one big request.
For example, if someone created just 10 files with code names in their directories on the local hard drive, they could overwhelm some home routers’ capacities before even leaving the LAN!
CVE-2019-12108 is a critical vulnerability in the Plex media server that could allow an attacker to remotely execute code. This exploit could be used to launch a distributed denial of service (DDoS) attack against the server.
The patch for this vulnerability has been released and users are encouraged to update their systems as soon as possible. If they have not received notification of the release via email, or if they use an unsupported version of Plex Media Server, they should contact the vendor directly. Users who already updated to v1.13.0 are safe from this exploit because it was patched with that release on May 15th.