Plex patches media server bug potentially exploited by DDoS attackers
All users of Plex Media Server are urged to apply the hotfix, which directs their servers to respond to UDP requests only from the local network and not the public internet.
Media company Plex has fixed a vulnerability in its media server that could have been used by hackers to strengthen DDoS attacks. In an announcement released last Friday and updated on Saturday, Plex said that it has issued hotfix 66 for Plex Media Server to address the flaw in its product.
SEE: 10 dangerous app vulnerabilities to watch out for (free PDF) (TechRepublic)
Described in an alert issued by network monitoring firm Netscout a couple of days earlier, Plex Media Server could have been used by cybercriminals to amplify DDoS attacks by responding to UDP (User Datagram Protocol) requests from the public internet.
Netscout said that it discovered amplified Plex Media SSDP (PMSSDP) DDoS attack traffic on abused broadband internet access routers directed toward different targets.
To prevent the bug from being exploited, Plex said that its new hotfix will limit its Media Server to respond only to UDP requests only from the local network and not from the public internet. The fix is available in Plex Media Server v1.21.3.4014 or newer and is accessible to both public and beta users of Plex Media Server through the regular Downloads page.
To clarify certain details, Plex said that the exploit would not have allowed attackers to access any private data or make changes to the accounts of its users. Instead, the flaw could have caused an affected server to “reflect” UDP packets as a way to amplify a DDoS attack against another server or network on the internet. An alert from CISA (Cybersecurity & Infrastructure Security Agency) explains how UDP-based amplification attacks work.
Plex also took issue with certain claims made by Netscout in its report. A Plex spokesperson told TechRepublic that the report was correct in saying that a Plex Media Server accessible over the public internet through UDP on port 32414 could be used to reflect traffic and amplify a DDoS attack. However, the report’s assertion that the Plex Media Server will open up access to UDP on port 32414 was incorrect, according to the spokesperson.
“If a Plex Media Server user chooses to enable remote access, Plex Media Server will attempt to use UPnP to open access to TCP on port 32400,” the spokesperson said. “32414/UDP never needs to be accessible remotely and Plex Media Server will never attempt to open that access.”
For a Plex Media Server to be used in the type of DDoS amplification described in the report, it would have to be behind a misconfigured firewall (or no firewall at all), the spokesperson said. To resolve issues with any such servers behind a misconfigured firewall, the current version of the product ignores any UDP traffic directed from or to remote networks.
In response to Plex’s concerns, Hardik Modi, assistant VP of engineering for Netscout, said that the initial report was updated over the weekend with the latest information on the patch. At this point, around 37,000 abuseable Plex servers are now observable on the internet, according to Netscout. Further, Modi said that Netscout found 5,500 separate DDoS attacks involving this exploit, leveraging around 15,500 separate Plex servers.
Responding to Plex’s charges that certain aspects of the Netscout report were incorrect, Modi said that all the details related to the prevalence and abuseability of these servers was accurate. Even if the abuseability was due to user misconfiguration, the result would still be a wide number of abuseable deployments.
“From the network operator and victim perspective, the impact of the attacks doesn’t change—abuseable Plex systems are being used in DDoS attacks and our guidance still holds,” Modi said. “Widespread deployment of the new software update will be the systemic fix to the use of this vector and we welcome the steps that Plex has taken.”
Finally, Plex also offered the following tips for users of its Media Server product:
- If connected directly to the public internet, configure your server’s firewall to block traffic on the “additional” ports mentioned in this support article.
- When using a router performing NAT (this includes most consumer systems), configure it not to forward UDP traffic on these “additional” ports from the public internet to the device running Plex Media Server.
Editor’s note: This article has been updated with comment from Netscout.