pwhodges 1542 Posted May 25, 2023 Share Posted May 25, 2023 And the exploit might have been installed before the beta was updated to a more secure version. Paul Link to comment Share on other sites More sharing options...
CBers 6806 Posted May 25, 2023 Share Posted May 25, 2023 (edited) So this is only affecting an Emby server that has the Scripter-X plugin installed, or can any Emby server be hacked and then have the plugin installed? Also, does the helper.dll showup within the Plugins section, or is it hidden? Edited May 25, 2023 by CBers Link to comment Share on other sites More sharing options...
softworkz 3350 Posted May 25, 2023 Share Posted May 25, 2023 7 minutes ago, CBers said: So this is only affecting an Emby server that has the Scripter-X plugin installed, or can any Emby server be hacked and then have the plugin installed? On many systems - especially windows, they had ScripterX uninstalled afterwards. But it#s not a prerequisite. They start with admin access, so they can just install the plugin. 7 minutes ago, CBers said: Also, does the helper.dll showup within the Plugins section, or is it hidden? There are multiple versions. The initial helper.dll removes itself from the plugin list. A later version doesn't but there must be an even later version which does remove itself. again. Link to comment Share on other sites More sharing options...
crusher11 863 Posted May 25, 2023 Share Posted May 25, 2023 Ah, I'm only on .29. I can't update further, because I'm on DSM 6. The writeup on the website is very Windows-specific. I've killed off remote connections as a precaution, not sure what the best steps are from here. Link to comment Share on other sites More sharing options...
ebr 14964 Posted May 25, 2023 Share Posted May 25, 2023 1 minute ago, crusher11 said: The writeup on the website is very Windows-specific Why do you feel it is Windows-specific? Link to comment Share on other sites More sharing options...
softworkz 3350 Posted May 25, 2023 Share Posted May 25, 2023 4 minutes ago, crusher11 said: Ah, I'm only on .29. I can't update further, because I'm on DSM 6. The writeup on the website is very Windows-specific. I've killed off remote connections as a precaution, not sure what the best steps are from here. The relevant measures when your system wasn't affected are these two: don't allow local login without password for anybody (ideally you disable all features that are specific to "local network" make sure no user has an empty password Link to comment Share on other sites More sharing options...
rbjtech 4349 Posted May 25, 2023 Share Posted May 25, 2023 2 minutes ago, crusher11 said: Ah, I'm only on .29. I can't update further, because I'm on DSM 6. The writeup on the website is very Windows-specific. I've killed off remote connections as a precaution, not sure what the best steps are from here. .. some of the recommendations are actually linux specific, the host file preventive fix for example is not relevant for a Windows user - as for Windows it sits in "C:\Windows\System32\drivers\etc\hosts" .. Link to comment Share on other sites More sharing options...
softworkz 3350 Posted May 25, 2023 Share Posted May 25, 2023 2 minutes ago, rbjtech said: .. some of the recommendations are actually linux specific, the host file preventive fix for example is not relevant for a Windows user - as for Windows it sits in "C:\Windows\System32\drivers\etc\hosts" .. It was meant to be non-OS-specific: etc/hosts is the path part which is identical on both OS 1 Link to comment Share on other sites More sharing options...
crusher11 863 Posted May 25, 2023 Share Posted May 25, 2023 14 minutes ago, softworkz said: don't allow local login without password for anybody (ideally you disable all features that are specific to "local network" Is there a global setting for this or do I have to disable it per-user? No idea what other settings could vary by network. Admin account has never been allowed password-free access even locally. Link to comment Share on other sites More sharing options...
adminExitium 176 Posted May 25, 2023 Share Posted May 25, 2023 Fortunately I already had passwords on all my users and the non-password access was disabled for local networks. However, I am shocked that the Emby Team has the ability to shutdown any Emby instance remotely without any input from the administrator of the system. This seems like a glaring security breach. The use may have been for good purposes this time but simply having the ability to control any part of the instance remotely outside the control of the administrator is simply unacceptable. Link to comment Share on other sites More sharing options...
ebr 14964 Posted May 25, 2023 Share Posted May 25, 2023 4 minutes ago, adminExitium said: However, I am shocked that the Emby Team has the ability to shutdown any Emby instance remotely without any input from the administrator of the system. This seems like a glaring security breach. The use may have been for good purposes this time but simply having the ability to control any part of the instance remotely outside the control of the administrator is simply unacceptable. Hi. We never directly accessed anyone's server or data. Link to comment Share on other sites More sharing options...
adminExitium 176 Posted May 25, 2023 Share Posted May 25, 2023 From the advisory: Quote For your safety we have shutdown your Emby Server as a precautionary measure How was this accomplished then? Link to comment Share on other sites More sharing options...
rbjtech 4349 Posted May 25, 2023 Share Posted May 25, 2023 (edited) 29 minutes ago, adminExitium said: Fortunately I already had passwords on all my users and the non-password access was disabled for local networks. However, I am shocked that the Emby Team has the ability to shutdown any Emby instance remotely without any input from the administrator of the system. This seems like a glaring security breach. The use may have been for good purposes this time but simply having the ability to control any part of the instance remotely outside the control of the administrator is simply unacceptable. This is not the case, they used the standard emby 'update' mechanism to update the system (ie emby updated itself) and as explained in the write-up link, they chose to shutdown emby on compromised systems. My personal view is this is a good approach to bring full attention to the user to investigate further. Edited May 25, 2023 by rbjtech Link to comment Share on other sites More sharing options...
adminExitium 176 Posted May 25, 2023 Share Posted May 25, 2023 So the shutdown was only limited to bare-metal installs who had auto-update enabled? That does remove my security concerns. Link to comment Share on other sites More sharing options...
horstepipe 357 Posted May 25, 2023 Share Posted May 25, 2023 hey folks, So i'm running Emby server stable v4.7.11.0 ScripterX plugin is installed All users have complex passwords None of my users have that passwordless login on local connection enabled Emby server is still running If possible I do not want to remove scripterx as it manages my (more complex than the implemented one) new content notifications. Will my Server shutdown somewhen today? Not sure what to expect currently. Thanks Link to comment Share on other sites More sharing options...
ebr 14964 Posted May 25, 2023 Share Posted May 25, 2023 1 minute ago, horstepipe said: Will my Server shutdown somewhen today? Not if this is correct: 1 minute ago, horstepipe said: All users have complex passwords None of my users have that passwordless login on local connection enabled 1 Link to comment Share on other sites More sharing options...
horstepipe 357 Posted May 25, 2023 Share Posted May 25, 2023 Just now, ebr said: Not if this is correct: yes it is. Thanks Link to comment Share on other sites More sharing options...
horstepipe 357 Posted May 25, 2023 Share Posted May 25, 2023 Is somebody able to remove the code parts of the plugin which can load and execute external code or will we need to wait for the dev to return and fix it? Link to comment Share on other sites More sharing options...
crusher11 863 Posted May 25, 2023 Share Posted May 25, 2023 And since I'm unable to update to close the vulnerability, my server has to basically remain locked down indefinitely. Good fun. Link to comment Share on other sites More sharing options...
pwhodges 1542 Posted May 25, 2023 Share Posted May 25, 2023 If your admin users can only be accessed with a good password, even locally, you should be fine. Also, if you have a reverse proxy, that should also block the vulnerability in its default settings. The problem arose because people loosened their security relying on the ability of the server to identify local access, which the vulnerability broke if there was no other defence.. Paul 1 1 Link to comment Share on other sites More sharing options...
rbjtech 4349 Posted May 25, 2023 Share Posted May 25, 2023 The key setting is this If your Admin account did NOT have the above set (ie it said don't require a password on the local network) - then the attacker combined this poor choice with the local/remote IP spoofing to then login as Admin remotely without the need for any password, set or not. 1 1 Link to comment Share on other sites More sharing options...
crusher11 863 Posted May 25, 2023 Share Posted May 25, 2023 Mine wasn't, on double-checking, set to require a password, but it was set to require a PIN. And I have NGINX and CloudFlare running. Link to comment Share on other sites More sharing options...
rbjtech 4349 Posted May 25, 2023 Share Posted May 25, 2023 13 minutes ago, crusher11 said: Mine wasn't, on double-checking, set to require a password, but it was set to require a PIN. And I have NGINX and CloudFlare running. With a standard config, NGINX will re-write its passed http headers anyway - this is one key security advantage of using an RP in the first place. It effectively terminates the remote connection (via https) and then creates a new connection to the local destination by creating it's own http(s) headers. So even if you did have 'don't require a password on the local network', the attacker was not given access to your local network in the first place. 1 Link to comment Share on other sites More sharing options...
Gilgamesh_48 949 Posted May 25, 2023 Share Posted May 25, 2023 My old brain is having problems processing exactly if there is any vulnerability for my server. I do not think there is any possibility of this impacting me but I want to be sure: I have disabled all remote access and I have very few plugins installed at all. I only have two users and both of them are me. I am currently running Version 4.8.0.37 beta. So the question: Is there anything I should do or am I isolated enough where this problem is not an issue for me? Link to comment Share on other sites More sharing options...
ebr 14964 Posted May 25, 2023 Share Posted May 25, 2023 Just now, Gilgamesh_48 said: I have disabled all remote access Then you are not at risk. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now