Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Research Discloses Multiple Vulnerabilities in Plex Media Server

Tenable Research discovered multiple vulnerabilities in Plex Media Server, a popular media streaming and sharing service, that could allow attackers to gain full system privileges and access to personal files. Plex has since administered patches and mitigations for these vulnerabilities.

Background

Tenable Research has disclosed three vulnerabilities in Plex Media Server, affecting versions prior to 1.18.2. The Plex application and service allows users to organize and stream their own media through a Netflix-like experience. Users can share personal media libraries among friends and discover related content from traditional streaming sources around the web. This type of service is very popular as people are homebound due to public health orders.

Vulnerabilities

CVE-2020-5742

This vulnerability is due to a weak cross-origin resource sharing (CORS) policy. The attacker would likely exploit this vulnerability through phishing. Since Plex users often share their media by way of email notifications, these phishing attempts may see higher than average success rates. After clicking through to the login screen, users cannot tell if they’re logging into their own Plex server or the attacker’s. Once the victim has logged into the attacker’s media server, the attacker can forge requests to the victim’s media server. For example, the attacker could download a private photo album from the victim’s server. This vulnerability impacts Windows, macOS and Linux versions.

Plex media share - example email notification

CVE-2020-5741

Once a Plex user’s media server is exposed due to CVE-2020-5742, the attacker obtains access to an admin authentication token that would allow them to execute arbitrary code remotely with the same privileges as the media server. From there, the attacker could pivot to other machines on the network or install backdoors. This vulnerability impacts Windows.

CVE-2020-5740

This is a local privilege escalation to SYSTEM. Once the attacker has gained code execution, they would be able to exploit this vulnerability to elevate their privileges to the highest level. This vulnerability impacts Windows.

Attack Scenarios

By chaining these three vulnerabilities together, an attacker can move from a successful phishing attack to full SYSTEM privileges. To understand more about the technical details of how an attacker might chain this attack, read here.

With SYSTEM privileges, the attacker would have unlimited access to the underlying operating system and any local files. If the attacker was only able to get far enough in the chain to exploit CVE-2020-5741, they could still access the underlying operating and file system, but their level of access would be limited to the privileges of the compromised account.

Even if the attacker only exploits CVE-2020-5742 via phishing, they would still be able to access any media and services on the Plex media server. This is more concerning than a compromised Netflix account, since users store personal pictures, videos and audio files on Plex.

Vendor Response

Plex has released patches for CVE-2020-5740 and CVE-2020-5741 in a rolling process. Users should update to the latest version to address these two vulnerabilities. Plex Media Server will not automatically update by default but users can enable this within their settings. Users can always check the general settings page to see if new updates are available. 

Plex also administered a mitigation for CVE-2020-5742 that alerts users when they are logging into a server that is not hosted by Plex.

Mitigation alert - server not hosted by Plex

Tenable has published plugins to detect vulnerable instances of Plex Media Server. 

Get More Information:

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.