Has my Windows emby server been hacked.

[pwhodges 1533]

And the exploit might have been installed before the beta was updated to a more secure version.

Paul

[CBers 6771]

So this is only affecting an Emby server that has the Scripter-X plugin installed, or can any Emby server be hacked and then have the plugin installed?

Also, does the helper.dll showup within the Plugins section, or is it hidden?
 

Edited May 25, 2023 by CBers

[softworkz 3341]

7 minutes ago, CBers said:

So this is only affecting an Emby server that has the Scripter-X plugin installed, or can any Emby server be hacked and then have the plugin installed?
 

On many systems - especially windows, they had ScripterX uninstalled afterwards. But it#s not a prerequisite. They start with admin access, so they can just install the plugin.

7 minutes ago, CBers said:

Also, does the helper.dll showup within the Plugins section, or is it hidden?

 

There are multiple versions. The initial helper.dll removes itself from the plugin list. A later version doesn't but there must be an even later version which does remove itself. again.

[crusher11 854]

Ah, I'm only on .29. I can't update further, because I'm on DSM 6.

The writeup on the website is very Windows-specific. I've killed off remote connections as a precaution, not sure what the best steps are from here.

[ebr 14930]

1 minute ago, crusher11 said:

The writeup on the website is very Windows-specific

Why do you feel it is Windows-specific?

[softworkz 3341]

4 minutes ago, crusher11 said:

Ah, I'm only on .29. I can't update further, because I'm on DSM 6.

The writeup on the website is very Windows-specific. I've killed off remote connections as a precaution, not sure what the best steps are from here.

The relevant measures when your system wasn't affected are these two:

• don't allow local login without password for anybody (ideally you disable all features that are specific to "local network"
• make sure no user has an empty password

[rbjtech 4289]

2 minutes ago, crusher11 said:

Ah, I'm only on .29. I can't update further, because I'm on DSM 6.

The writeup on the website is very Windows-specific. I've killed off remote connections as a precaution, not sure what the best steps are from here.

.. some of the recommendations are actually linux specific, the host file preventive fix for example is not relevant for a Windows user - as for Windows it sits in "C:\Windows\System32\drivers\etc\hosts" ..

[softworkz 3341]

2 minutes ago, rbjtech said:

.. some of the recommendations are actually linux specific, the host file preventive fix for example is not relevant for a Windows user - as for Windows it sits in "C:\Windows\System32\drivers\etc\hosts" ..

It was meant to be non-OS-specific: 

 

etc/hosts is the path part which is identical on both OS

[crusher11 854]

14 minutes ago, softworkz said:

don't allow local login without password for anybody (ideally you disable all features that are specific to "local network"

Is there a global setting for this or do I have to disable it per-user?

No idea what other settings could vary by network. Admin account has never been allowed password-free access even locally.

[adminExitium 173]

Fortunately I already had passwords on all my users and the non-password access was disabled for local networks.

 

However, I am shocked that the Emby Team has the ability to shutdown any Emby instance remotely without any input from the administrator of the system. This seems like a glaring security breach. The use may have been for good purposes this time but simply having the ability to control any part of the instance remotely outside the control of the administrator is simply unacceptable.

[ebr 14930]

4 minutes ago, adminExitium said:

However, I am shocked that the Emby Team has the ability to shutdown any Emby instance remotely without any input from the administrator of the system. This seems like a glaring security breach. The use may have been for good purposes this time but simply having the ability to control any part of the instance remotely outside the control of the administrator is simply unacceptable.

Hi.  We never directly accessed anyone's server or data.

[adminExitium 173]

From the advisory:
 

Quote

For your safety we have shutdown your Emby Server as a precautionary measure

How was this accomplished then?

[rbjtech 4289]

29 minutes ago, adminExitium said:

Fortunately I already had passwords on all my users and the non-password access was disabled for local networks.

 

However, I am shocked that the Emby Team has the ability to shutdown any Emby instance remotely without any input from the administrator of the system. This seems like a glaring security breach. The use may have been for good purposes this time but simply having the ability to control any part of the instance remotely outside the control of the administrator is simply unacceptable.

This is not the case, they used the standard emby 'update' mechanism to update the system (ie emby updated itself) and as explained in the write-up link, they chose to shutdown emby on compromised systems.  My personal view is this is a good approach to bring full attention to the user to investigate further.

Edited May 25, 2023 by rbjtech

[adminExitium 173]

So the shutdown was only limited to bare-metal installs who had auto-update enabled?

That does remove my security concerns.

[horstepipe 356]

hey folks,

So i'm running Emby server stable v4.7.11.0

ScripterX plugin is installed

All users have complex passwords

None of my users have that passwordless login on local connection enabled

Emby server is still running

 

If possible I do not want to remove scripterx as it manages my (more complex than the implemented one) new content notifications.

 

Will my Server shutdown somewhen today?

Not sure what to expect currently.

Thanks

[ebr 14930]

1 minute ago, horstepipe said:

Will my Server shutdown somewhen today?

Not if this is correct:

1 minute ago, horstepipe said:

All users have complex passwords

None of my users have that passwordless login on local connection enabled

 

[horstepipe 356]

Just now, ebr said:

Not if this is correct:

 

yes it is.

Thanks

[horstepipe 356]

Is somebody able to remove the code parts of the plugin which can load and execute external code or will we need to wait for the dev to return and fix it?

[crusher11 854]

And since I'm unable to update to close the vulnerability, my server has to basically remain locked down indefinitely. Good fun.

[pwhodges 1533]

If your admin users can only be accessed with a good password, even locally, you should be fine.  Also, if you have a reverse proxy, that should also block the vulnerability in its default settings.

The problem arose because people loosened their security relying on the ability of the server to identify local access, which the vulnerability broke if there was no other defence..

Paul

[rbjtech 4289]

The key setting is this

If your Admin account did NOT have the above set (ie it said don't require a password on the local network) - then the attacker combined this poor choice with the local/remote IP spoofing to then login as Admin remotely without the need for any password, set or not.

 

[crusher11 854]

Mine wasn't, on double-checking, set to require a password, but it was set to require a PIN. And I have NGINX and CloudFlare running.

[rbjtech 4289]

13 minutes ago, crusher11 said:

Mine wasn't, on double-checking, set to require a password, but it was set to require a PIN. And I have NGINX and CloudFlare running.

With a standard config, NGINX will re-write its passed http headers anyway - this is one key security advantage of using an RP in the first place.  It effectively terminates the remote connection (via https) and then creates a new connection to the local destination by creating it's own http(s) headers.

So even if you did have 'don't require a password on the local network', the attacker was not given access to your local network in the first place.

[Gilgamesh_48 944]

My old brain is having problems processing exactly if there is any vulnerability for my server. I do not think there is any possibility of this impacting me but I want to be sure:
I have disabled all remote access and I have very few plugins installed at all.
I only have two users and both of them are me.
I am currently running Version 4.8.0.37 beta.
So the question:
Is there anything I should do or am I isolated enough where this problem is not an issue for me?

[ebr 14930]

Just now, Gilgamesh_48 said:

I have disabled all remote access

Then you are not at risk.