Fortigate Rules Plex Media Server

Go to FortiView Policies and select the now view. You can see traffic flowing through all three security policies. Right-click on the Admin policy and select Drill Down to Details. View the Sources tab to confirm that this policy is being used exclusively by SysAdminPC. Next-generation firewalls (NGFWs) filter network traffic to protect an organization from internal and external threats. Along with maintaining features of stateful firewalls such as packet filtering, IPsec and SSL VPN support, network monitoring, and IP mapping features, NGFWs possess deeper content inspection capabilities. Plex Media Servers are great for storing and accessing all your movies, tv shows, and other media. Unfortunately, Plex Server hardware can be expensive, electricity intensive, or both. To reduce both bills, use a Raspberry Pi for a Plex Server. In an alert published Wednesday, network monitoring firm Netscout warned of an exploit against Plex Media Server, a media library and streaming system that runs on a variety of platforms. If you need to hide the internal server port number or need to map several internal servers to the same public IP address, enable port-forwarding for Virtual IP. This topic shows how to use virtual IPs to configure port forwarding on a FortiGate unit. This example has one public external IP address.

Plex has patched and mitigated three vulnerabilities affecting Plex Media Server for Windows that could enable attackers to take full control of the underlying system when chained together.

Plex Media Server is a desktop app and the backend server for the Plex media streaming service, designed for streaming movies, TV shows, music, and photo collections to over the Internet and on local area networks.

Fortigate Rules Plex Media Server Download

The three vulnerabilities tracked CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742 were found by Tenable security researcher Chris Lyne and reported to Plex on May 31st.

If attackers chain together exploits for all these security flaws, they could remotely execute code as SYSTEM, fully taking over the operating system, gain access to all files, deploy backdoors, or move laterally to other devices on the same network.

The Plex Security Team rolled out patches for CVE-2020-5740 on April 24 and for CVE-2020-5741 on May 7, and mitigated CVE-2020-5742 via server-side changes.

Phishing attacks leading to system takeover

According to a proof-of-concept attack described by Lyne here, threat actors who would want to take control of machines running unpatched Plex Media Server installation would have to start with a phishing email disguised as an email notification and designed to redirect the targeted Plex admin users to an attacker-controlled Plex Media Server.

If they fall for their trick and log into the malicious server, 'the attacker can forge requests to the victim’s media server' by abusing the weak cross-origin resource sharing (CORS) policy bug behind CVE-2020-5742 to steal their X-Plex-Token.

Even if the attack stops here, the malicious actors would still have access to the victims' private media, and gain the capability to change server settings, restart reboot media server services, and more.

'As of June 15, 2020, Plex has deployed a mitigation on authentication pages server side to notify users if they are logging into an application not hosted by Plex,' Tenable explains.

In the next step, attackers would have to use the stolen admin authentication token to execute arbitrary Python code remotely with the privileges of the media server by exploiting the CVE-2020-5741 flaw in the Plex Media Server plugin framework.

Fortigate rules plex media server download

This would enable them to install backdoors on the compromised systems, as well as pivot to other devices on the server's local area network.

Next, the attackers have to exploit the CVE-2020-5740 vulnerability to elevate their privileges to SYSTEM on Windows systems, effectively completely taking over the underlying system and gaining access to all the files.

'After a successful phishing attack, using the acquired X-Plex-Token, CVE-2020–5741 could be exploited to execute code with the privileges of the media server process,' as Lyne explains.

'The level of access could then be escalated to SYSTEM by exploiting CVE-2020–5740 in the Plex Update Service. At this point, the media server would be completely compromised.'

Update to the latest version to mitigate

To make sure that their servers are safe from attacks designed to exploit these flaws, users are urged to update the latest version.

'We have rolled out a change in our update distribution servers. This change will protect Plex Media Server version 1.18.2 or newer,' the Plex Security Team said. 'Plex Media Server installations older than 1.18.2 will still be exploitable and we highly encourage users on older releases to upgrade.'

'Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilities. We recommended for all users to update to one of these releases.'

Plex also mitigated CVE-2020-5742 by enabling automatic alerts on authentication pages server-side to notify Plex users when they are logging into a media server that's not hosted by Plex.

'Plex Media Server will not automatically update by default but users can enable this within their settings,' Tenable also explains. 'Users can always check the general settings page to see if new updates are available.

More technical information on the inner workings of these three vulnerabilities can be found in Tenable's security advisories:

• Local privilege escalation in Plex Update Service (CVE-2020-5740)

• Auth Python Deserialization RCE (CVE-2020-5741)

• Weak CORS Policy (CVE-2020-5742)