Has my Windows emby server been hacked.

[Gilgamesh_48 944]

Just now, ebr said:

Then you are not at risk.

That is exactly what I thought. I just cannot trust my conclusions because my meds makes it hard to concentrate at times. I thank you immensely and will rest easier because of your response.

I wonder if I need to work in an extra nap today?

[roaku 795]

5 hours ago, softworkz said:

It was meant to be non-OS-specific: 

 

etc/hosts is the path part which is identical on both OS

Might want to update this line to remove the Windows specific language:

Quote

You encounter an error entry in the Windows event log, Source=".NET Runtime", EventId=1025 with the same text as above in the event details

 

[ebr 14930]

34 minutes ago, roaku said:

Might want to update this line to remove the Windows specific language:

Except that is specific to Windows installs.  On those systems we were able to include this information system log.

[roaku 795]

2 minutes ago, ebr said:

Except that is specific to Windows installs.  On those systems we were able to include this information system log.

Ah, I was thinking there was an equivalent message in other OS logs.

[ebr 14930]

2 minutes ago, roaku said:

Ah, I was thinking there was an equivalent message in other OS logs.

Okay, I just made a slight edit to hopefully make that more clear.  Thx.

[davedick 17]

Since this appears to be coming from one of the Plugins that was previously in the catalog, are there any plans to look at the other plug in that are offered?

[andrewds 97]

The plugin isn't the root cause, it's a combination of a vulnerability in Emby Server and an insecure administrative user configuration. Once that vulnerability was exploited the attacker used the administrative access to install a custom plugin to leverage to gain more access.

1) Local admin user is set to allow login on local network without a password;
2) Emby server is exposed directly to the internet and requests to the ports on which its listening are forwarded/otherwise able to reach Emby server (regardless of whether the server is configured to allow connections from external networks);
3) An attacker exploits the vulnerability described in the first post here to make Emby Server think that the connection is originating on the local network, so it treats the connection as a connection from a local network, bypassing password requirements for external users and ignoring the setting that denies access from external networks;
4) The attacker logs in as an administrative user, presumably by simply clicking their portrait since it is not hidden on local networks and does not require a password on local networks.; and...
5) The attacker now has administrative access to the Emby Server instance and is free to do anything that they wish in that context. In my case Emby Server was running as a user with administrative access to the underlying OS (Windows) so presumably by leveraging the elevated access to interact with the Emby Server process via plugins they could potentially elevate their access further to compromise the system, and potentially use that platform to penetrate more deeply into the infrastructure.

Although I was not compromised because I had other protections in place to mitigate this attack vector, I have since reconfigured Emby Server to run in a normal user context for the underlying OS. I never should have set it up that way in the first place, it grew organically and I missed the mistake.

Edited May 26, 2023 by andrewds
typo

[GrimReaper 3309]

22 hours ago, crusher11 said:

Ah, I'm only on .29. I can't update further, because I'm on DSM 6.

 

21 hours ago, crusher11 said:

And since I'm unable to update to close the vulnerability, my server has to basically remain locked down indefinitely.

As per:

5 minutes ago, Tsch3ns said:

Thanks, I just updated to 4.8.0.32 which seems to be the newest for DSM 6.

that doesn't apper to be correct? Considering issue was plugged in beta .31, is there something in particular preventing you to update to .32?

 

 

[CBers 6771]

@Luke@ebr Just out of curiosity, how was the security fix delivered to the servers?

Was it via ab Emby plugin update?
 

[rbjtech 4289]

2 minutes ago, CBers said:

@Luke@ebr Just out of curiosity, how was the security fix delivered to the servers?

Was it via ab Emby plugin update?
 

From the Article.

 

[CBers 6771]

1 minute ago, rbjtech said:

From the Article.

 

You miss the point.

There was obviously something updated in Emby server to be able to detect the dodgy files/DLLs, so how was that code added?
 

[seanbuff 841]

6 minutes ago, CBers said:

There was obviously something updated in Emby server to be able to detect the dodgy files/DLLs, so how was that code added?
 

 

 

[CBers 6771]

10 minutes ago, seanbuff said:

 

 

Thanks. I was reading that as you replied.
 

Edited May 26, 2023 by CBers

[crusher11 854]

7 hours ago, GrimReaper said:

 

As per:

that doesn't apper to be correct? Considering issue was plugged in beta .31, is there something in particular preventing you to update to .32?

 

 

I can't remember offhand, but I imagine so given I hadn't. There were a few issues that cropped up in the last few betas.

[TokioJo 0]

I am one of the affected. I noticed my emby went through the install uninstall Scripter-X procedure a few days ago and figured it might have been a bugged update that was released and pulled. Once my emby server continued to crash(what I thought at the time), I did a complete uninstall and reinstall and am now on 4.7.12.0 . Emby is operating just fine. Since I did a complete removal and install I could not verify if the .dll made its way in, but it is not there now.

How compromised is the system in general now?

Anyone have any ideas on next steps people like myself should take outside of the Emby procedure?

The Windows virus scanner is reporting everything is good but I doubt it will understand this local issue. 

[andrewds 97]

5 minutes ago, TokioJo said:

How compromised is the system in general now?

Hello @TokioJo, it's really not easy to say unfortunately. Does your Emby Server process run in a non administrator security context? If so and if the system is remotely modern, up to date, and has up to date anti-malware software installed then the likelihood it is extensively compromised is reduced.

That being said, given we know nothing of the motives/goals of the attacker, nothing of the skill level, and the potential for this exploit to be leveraged to compromise the operating system, had I personally been affected I would at a minimum be reinstalling the OS. If you do any other computing on the device hosting Emby Server (logging into your bank, online shopping, entering credentials anywhere) I would consider those services at risk as well and change passwords, monitor transactions etc.

 

[TokioJo 0]

Understood. Not knowing the motivations is perplexing. Thank you for taking the time for replying to me.

[crusher11 854]

My situation is as follows:

• Server is behind NGINX and CloudFlare
• Server runs on a dedicated Synology NAS 
• Admin account is not visible on the login screen regardless of connection method 
• Admin account required PIN locally, but now requires a password 
• None of the files mentioned in the advisory were found on my system 

Am I correct in thinking that this means a) I have not been exploited, and b) even without updating I remain safe from being exploited in the future? How necessary is it to require passwords locally for non-admin accounts under these circumstances?

[pwhodges 1533]

You have not been exploited - you have already established that for yourself, because you have read the advisory and compared the symptoms.

Your NGINX should keep you safe - it would have to have tricky additional settings which there would be no reason for you to even find out about to enable it to become unsafe, and you'd know if you'd done that.

I see no reason to worry about non-admin accounts not using passwords locally.

Paul