Tl;dr: If publishing your Plex Server behind a Fortigate running FortiOS 6.0.2 and you want to use a second static IP address for your server, you have to create the VIP and NOT use port forwarding. After you create the VIP, then you can set your IPv4 Policy to allow TCP32400 to. All the menu items below the PLEX WEB section are gone, such as: PLEX-SRV-NAME, STATUS, SETTINGS, and MANAGE. NOTE: Navigating back to Settings and viewing the Authorized Devices it now displays the Plex Media Server/PC/Win10.0 (Build 17763) so, now I have two (2) authorized devices. At this point, I can only navigate limited menu items. For SSL VPN, all FortiGate or EMS must use the same TCP port. Creating priority-based SSL VPN connections SSL VPN supports priority-based configurations for redundancy. FortiGate FortiGate provides network security. EMS defines compliance verification rules for connected endpoints and communicates the rules to endpoints and the FortiGate. The FortiGate uses the rules and endpoint information from EMS to dynamically adjust security policies. In this tutorial we'll walk you through installing Plex Media Server on Ubuntu 18.04. Plex is a streaming media server that lets you organize your video, music, and photo collections and stream them to all of your devices at any time and from anywhere.
Plex has patched and mitigated three vulnerabilities affecting Plex Media Server for Windows that could enable attackers to take full control of the underlying system when chained together.
Plex Media Server is a desktop app and the backend server for the Plex media streaming service, designed for streaming movies, TV shows, music, and photo collections to over the Internet and on local area networks.
The three vulnerabilities tracked CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742 were found by Tenable security researcher Chris Lyne and reported to Plex on May 31st.
If attackers chain together exploits for all these security flaws, they could remotely execute code as SYSTEM, fully taking over the operating system, gain access to all files, deploy backdoors, or move laterally to other devices on the same network.
The Plex Security Team rolled out patches for CVE-2020-5740 on April 24 and for CVE-2020-5741 on May 7, and mitigated CVE-2020-5742 via server-side changes.
Phishing attacks leading to system takeover
According to a proof-of-concept attack described by Lyne here, threat actors who would want to take control of machines running unpatched Plex Media Server installation would have to start with a phishing email disguised as an email notification and designed to redirect the targeted Plex admin users to an attacker-controlled Plex Media Server.
If they fall for their trick and log into the malicious server, 'the attacker can forge requests to the victim’s media server' by abusing the weak cross-origin resource sharing (CORS) policy bug behind CVE-2020-5742 to steal their X-Plex-Token.
Even if the attack stops here, the malicious actors would still have access to the victims' private media, and gain the capability to change server settings, restart reboot media server services, and more.
'As of June 15, 2020, Plex has deployed a mitigation on authentication pages server side to notify users if they are logging into an application not hosted by Plex,' Tenable explains.
Fortigate Rules Plex Media Server Login
In the next step, attackers would have to use the stolen admin authentication token to execute arbitrary Python code remotely with the privileges of the media server by exploiting the CVE-2020-5741 flaw in the Plex Media Server plugin framework.
This would enable them to install backdoors on the compromised systems, as well as pivot to other devices on the server's local area network.
Next, the attackers have to exploit the CVE-2020-5740 vulnerability to elevate their privileges to SYSTEM on Windows systems, effectively completely taking over the underlying system and gaining access to all the files.
'After a successful phishing attack, using the acquired X-Plex-Token, CVE-2020–5741 could be exploited to execute code with the privileges of the media server process,' as Lyne explains.
'The level of access could then be escalated to SYSTEM by exploiting CVE-2020–5740 in the Plex Update Service. At this point, the media server would be completely compromised.'
Update to the latest version to mitigate
To make sure that their servers are safe from attacks designed to exploit these flaws, users are urged to update the latest version.
'We have rolled out a change in our update distribution servers. This change will protect Plex Media Server version 1.18.2 or newer,' the Plex Security Team said. 'Plex Media Server installations older than 1.18.2 will still be exploitable and we highly encourage users on older releases to upgrade.'
'Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilities. We recommended for all users to update to one of these releases.'
Plex also mitigated CVE-2020-5742 by enabling automatic alerts on authentication pages server-side to notify Plex users when they are logging into a media server that's not hosted by Plex.
'Plex Media Server will not automatically update by default but users can enable this within their settings,' Tenable also explains. 'Users can always check the general settings page to see if new updates are available.
More technical information on the inner workings of these three vulnerabilities can be found in Tenable's security advisories:
• Local privilege escalation in Plex Update Service (CVE-2020-5740)
• Auth Python Deserialization RCE (CVE-2020-5741)
• Weak CORS Policy (CVE-2020-5742)
More details on how these vulnerabilities could be chained and abused by attackers to fully compromise servers running Plex Media Servers versions older than 1.18.2 can be found within Lyne's blog post.