Tenable Research announced that it has discovered three vulnerabilities in Plex Media Server that could allow attackers to gain unlimited access via phishing to the operating system and download private media albums.
The Plex application, which has been called an alternative to Netflix and has become increasingly popular during shelter-in-place orders, lets users stream their own media and share personal libraries among friends. If all three vulns are exploited together, the attacker could gain unlimited access to the operating system and access any file, pivot to other machines on the network or install backdoors. At the lowest levels, exploitation could allow an attacker to gain access to any media, including personal videos and pictures, on the victim’s server and then access the underlying operating system.
Plex has released patches and/or mitigations for all vulnerabilities in a rolling process, and Tenable has published plugins to detect vulnerable instances of Plex Media Server. The research blog post can be found here and I’ve included a breakdown of each vulnerability below – are you interested in speaking with Tenable to learn more?
- CVE-2020-5742 – Plex users can share their own media, but if users are sent a link to access someone else’s media, they can’t always determine if they’re logging into their own server or the attacker’s via a phishing link. If the user does log in via the link, the attacker could make requests to the victim’s server and download files such as a private photo album.
- CVE-2020-5741 – After successfully exploiting the previous vulnerability, the attacker could then remotely execute arbitrary code on a Windows machine to gain the same privileges as the media server, and then pivot to other machines on the network or install backdoors.
- CVE-2020-5740 – This local privilege escalation flaw allows attackers to elevate their privileges to the highest level, gaining unlimited access to the underlying Windows operating system to access any files