Plex Media Has a Big Security Flaw

Illustration for article titled Plex Media Has a Big Security Flaw
Photo: Nicolas Asfouri (Getty Images)

Plex Media might be best known as the streaming service suited for creating custom TV channels, but it turns out those servers can be abused for more nefarious purposes. On Thursday, the cybersecurity firm Netscout reported that the same custom servers used to host these channels are also being used to beef up denial of service (aka DDoS) attacks—all without Plex’s customers even knowing.

One of Plex’s main selling points is that its customers are able to set up their own Plex server on a bevy of different devices, and then use that server to both house their own custom video, photo, or music libraries, and stream those libraries on other devices. It’s a really handy tool if you want to, say, compile channels with your parent’s favorite shows, and then beam those shows directly to their smart TV.

Per Netscout, when a given device running a Plex Server boots up and connects to the internet, it will run what’s known as a Simple Service Discovery Protocol (or SSDP for short), in order to scan for nearby compatible devices that might want to access any of the juicy content it holds. In some cases when these servers are snooping via SSDP, they can inadvertently end up connecting to a user’s router—and if that router happens to be poorly configured, it can beam information about that SSDP connection onto the open web.

Advertisement

Things get pretty precarious here because SSDP connections, in general, can be pretty easily exploited by bad actors who want to beef up a given DDOS attack. You can read the full technical specs of how this amplification works over here, but in a nutshell: plug-and-play devices show up on a network and say a little something to introduce themselves (“Nice to meet you. I’m a wireless thermostat. Here’s are some neat tricks I can do.”) Normally the network and device get to know each other and things work out fine. This being a reflection attack though, some nefarious person can request loads of these devices to introduce themselves all at once to a given target, and instead of a pleasant meet-and-greet, the unfortunate recipient gets a deafening earful.

Netscout said that its analyses turned up roughly 27,000 Plex servers currently connected to the web that can be used for these sorts of exploits. In the past, the firm has seen these Plex-based attacks send out packets ranging from 52 to 281 bytes. That’s certainly not the biggest DDoS attack we’ve seen as of late, but when enough of these servers are leveraged in a single attack (or when these servers get exploited in conjunction with other pieces of insecure tech), you can see how that would be enough to do some serious damage.

The firm added that since November of last year, it’s noticed that these sorts of Plex-enabled attacks have been on the rise. But Plex certainly isn’t the only vector–back in 2020, the FBI actually issued an alert warning businesses that their network connections could be exploited to send these sorts of amplified attacks. Just last month, Netscout issued another warning that certain Windows servers could be used to do the same.

We’ve reached out to Plex for comment on the Netscout report, and will update here when we hear back.

Advertisement

I cover the business of data for Gizmodo. Send your worst tips to swodinsky@gizmodo.com.

Share This Story

Get our `newsletter`

DISCUSSION

sorrysorryimsorry
Sorry_Sorry_Im_Sorry

Plex responded here: https://forums.plex.tv/t/security-regarding-ssdp-reflection-amplification-ddos/687162

What is it?

We recently became aware of an issue reported by security researchers 13. It was not disclosed to us prior to the publication.

It describes an issue in which Plex Media Server installations in a specific (and uncommon) network position could potentially be used to reflect UDP traffic on certain device-discovery ports as part of a possible DDoS (distributed denial-of-service) attack.

Am I affected?

The vast majority of Plex Media Server setups are not exposed or affected by this. It specifically requires that either:

  1. the entire device running Plex Media Server be exposed to the public internet (such as one hosted in a data center or the computer being placed in the public “DMZ” of the network router), or
  2. the server administrator has explicitly forwarded UDP traffic on an applicable port from the public internet to the device running Plex Media Server.

Neither of these configurations are typical for normal users. Only a very small portion of Plex Media Server instances will be potentially affected by this.

What is the impact?

This issue does not allow attackers to access any of your private data or make changes to your account. It only allows attackers to cause an affected server to “reflect” UDP packets in order to increase the volume of a denial-of-service attack against some other server or network on the public internet. These “amplification” techniques are common in a variety of widely-used, UDP-based network protocols when services are exposed directly to the public internet (such as DNS or NTP). For more information on amplification attacks and how to protect Internet-facing systems against them, we recommend you review the US-CERT article explaining them 4.

What can I do?

Again, the vast majority of Plex Media Server users will not be affected by this. For those very few users with a system in one of the affected configurations:

  1. If connected directly to the public internet, configure your server’s firewall to block traffic on the “additional” ports mentioned in this support article 108.
  2. When using a router performing NAT (this includes most consumer systems), configure it not to forward UDP traffic (on the “additional” ports mentioned in this support article 108) from the public internet to the device running Plex Media Server.

We will also be releasing a new version of Plex Media Server that contains a hotfix to add an extra layer of protection for those servers that may have been accidentally exposed. It will be available from our regular Downloads page 18 soon. We’ll update this post once the new release is available.