All users of Plex Media Server are urged to apply the hotfix, which directs their servers to respond to UDP requests only from the local network and not the public internet.
Media company Plex has fixed a vulnerability in its media server that could have been used by hackers to strengthen DDoS attacks. In an announcement released last Friday and updated on Saturday, Plex said that it has issued hotfix 66 for Plex Media Server to address the flaw in its product.
SEE: 10 dangerous app vulnerabilities to watch out for (free PDF) (TechRepublic)
Described in an alert issued by network monitoring firm Netscout a couple of days earlier, Plex Media Server could have been used by cybercriminals to amplify DDoS attacks by responding to UDP (User Datagram Protocol) requests from the public internet.
Netscout said that it discovered amplified Plex Media SSDP (PMSSDP) DDoS attack traffic on abused broadband internet access routers directed toward different targets.
To prevent the bug from being exploited, Plex said that its new hotfix will limit its Media Server to respond only to UDP requests only from the local network and not from the public internet. The fix is available in Plex Media Server v126.96.36.19914 or newer and is accessible to both public and beta users of Plex Media Server through the regular Downloads page.
To clarify certain details, Plex said that the exploit would not have allowed attackers to access any private data or make changes to the accounts of its users. Instead, the flaw could have caused an affected server to “reflect” UDP packets as a way to amplify a DDoS attack against another server or network on the internet. An alert from CISA (Cybersecurity & Infrastructure Security Agency) explains how UDP-based amplification attacks work.
Plex also took issue with certain claims made by Netscout in its report. A Plex spokesperson told TechRepublic that the report was correct in saying that a Plex Media Server accessible over the public internet through UDP on port 32414 could be used to reflect traffic and amplify a DDoS attack. However, the report’s assertion that the Plex Media Server will open up access to UDP on port 32414 was incorrect, according to the spokesperson.
“If a Plex Media Server user chooses to enable remote access, Plex Media Server will attempt to use UPnP to open access to TCP on port 32400,” the spokesperson said. “32414/UDP never needs to be accessible remotely and Plex Media Server will never attempt to open that access.”
For a Plex Media Server to be used in the type of DDoS amplification described in the report, it would have to be behind a misconfigured firewall (or no firewall at all), the spokesperson said. To resolve issues with any such servers behind a misconfigured firewall, the current version of the product ignores any UDP traffic directed from or to remote networks.
Plex also offers the following tips for users of its Media Server product:
- If connected directly to the public internet, configure your server’s firewall to block traffic on the “additional” ports mentioned in this support article.
- When using a router performing NAT (this includes most consumer systems), configure it not to forward UDP traffic on these “additional” ports from the public internet to the device running Plex Media Server.