FULL DISCLOSURE: Data Collection in the Process of BotNet Takedown

[ember1205 23]

4 minutes ago, rbjtech said:

Right - when you say 'select Admin user' - do you mean you have the Admin users displayed ?  

This is maybe where the difference is ?

Nope... No difference. Hiding the admin user, forcing manual login, it still directly opens the site even after a full shut down and process stop of the browser.

[CBers 6771]

7 minutes ago, rbjtech said:

ok, not 100% following - as since day dot, I've never allowed any Emby Admin account with remote login, nor to be displayed as a 'user', even locally.   Having the 'username' (which is hopefully not 'Admin' lol) is all part of the security - if you don't even know the username, you have nothing to bruteforce..

None of my users are displayed when connecting remotely.
 

[rbjtech 4266]

Just now, darkassassin07 said:

That's the 'remember me' function, which saves a session key that your browser later presents to auth. Your browser only has that key because you've previously logged in with your user+pass and selected 'remember me'.

 

Password-less login doesn't require auth at all. Just a username.

Exactly - not sure what the issue is here.

Do the same with any other web site - the previously saved session cookie/token will Auth once you have presented the username.  But it's only valid for that browser - and will be challanged on a 'new' device.

To remove it, just delete the saved password in the browser and it will ask you for the password again ...

Pretty normal behaviour ...

[ember1205 23]

2 minutes ago, darkassassin07 said:

That's the 'remember me' function, which saves a session key that your browser later presents to auth. Your browser only has that key because you've previously logged in with your user+pass and selected 'remember me'.

 

Password-less login doesn't require auth at all. Just a username.

Yes, understood.

The app, however, does not save a session key like a browser does, making launching of the app a giant PITA if you have to enter a strong password every time. I pulled the Admin properties off of my main account used for viewing and set it to allow password-less so that I can use it from the app.

[rbjtech 4266]

Just now, CBers said:

None of my users are displayed when connecting remotely.
 

ok - so you have an 'Admin' user with remote access granted, if you remotely login with that user (using a manually typed in username and password) - then come out the App.   It then automatically logs you in again when you re-open the App ?

That is 'normal' for a User - but as I've never allowed this on an Admin account - so if it does it for an Admin account, then I now get where yo'ure coming from.

[darkassassin07 423]

1 minute ago, ember1205 said:

Yes, understood.

The app, however, does not save a session key like a browser does, making launching of the app a giant PITA if you have to enter a strong password every time. I pulled the Admin properties off of my main account used for viewing and set it to allow password-less so that I can use it from the app.

Which app?

 

I manage my server almost entirely from android and never have to enter my pass, it just remembers me. They all have a remember me option just like the web app/browser afaik.

[CBers 6771]

3 minutes ago, rbjtech said:

ok - so you have an 'Admin' user with remote access granted, if you remotely login with that user (using a manually typed in username and password) - then come out the App.   It then automatically logs you in again when you re-open the App ?

 

No.

I have top enter the username and password every time when remote.

On my PC in my local network, it doesn't display the username/password prompt, as I have the "Don't require a password on the local network" option enabled.
 

[softworkz 3335]

Please note that these were just emergency measures and not changes to Emby. These will come in the future.

The security measures will be re-applied after a restart, but meanwhile you can set it to what you want and the behavior will be like before.

Just don't do it. As simple as that.

[ember1205 23]

22 minutes ago, darkassassin07 said:

Which app?

 

I manage my server almost entirely from android and never have to enter my pass, it just remembers me. They all have a remember me option just like the web app/browser afaik.

Android TV - session will not survive an exit and relaunch when a PW is being used (seemingly). 

[ebr 14913]

28 minutes ago, ember1205 said:

Android TV - session will not survive an exit and relaunch when a PW is being used (seemingly)

And in the options what is the "Startup behavior" set to?

[pwhodges 1531]

2 hours ago, darkassassin07 said:

You can still set it, but it will reset itself again shortly (with the same notice in the alerts), and even while set it will refuse to auth with a pin/without a pass.

In my testing it enabled me to log in an admin without a password - but as you say, it gets reset.  It's likely that they will either update that code in the server itself once the scramble is over, or at least add warnings as well as changing the default.  They've already said somewhere that this was a quick fix that will need more work for the long term.

Paul

[ember1205 23]

40 minutes ago, ebr said:

And in the options what is the "Startup behavior" set to?

It was set to automatically log in as the specified user. Upon launching the app, it would should an error indicating something close to "invalid user or password", drop at the login screen, and selecting the user would require that I enter the password. Lather, rinse, repeat.

[ebr 14913]

Just now, ember1205 said:

It was set to automatically log in as the specified user. Upon launching the app, it would should an error indicating something close to "invalid user or password", drop at the login screen, and selecting the user would require that I enter the password. Lather, rinse, repeat.

Go to the settings and set it to "Always show login screen".  Then exit and come back in and log in with your password.  Then go back to the settings and set it to "Always login as this user".  See if that clears it up.

[ember1205 23]

2 minutes ago, ebr said:

Go to the settings and set it to "Always show login screen".  Then exit and come back in and log in with your password.  Then go back to the settings and set it to "Always login as this user".  See if that clears it up.

If I have time over the weekend, I will do more testing. I have already:

- Removed Admin permission for this account

- Set password-less login allowed on local network for this account

- Changed the app setting from login as this user to Remember previous user

It's working at this stage (for now) and I have to test whether or not the changes in permissions for the account will still allow me the controls I want/need for the libraries...

[Mikele 8]

Hi @Luke@softworkz,

First of all thanks for your investigation. I would like to ask couple of question to make sure I got this right and also give some suggestions.

SCENARIO:

• I have in the setting: Local Network Access => Require a password on the local network
• I DON'T have the EmbyHelper.dll or helper.dll in the plugin folder.
• I exposed emby through a reverse proxy (SWAG)
• Emby starts fine and no strange stuff in the Emby logs nor in the swag logs.
• I checked my server DNS logs and the domain listed in the advisory is NOT present.

The questions are:

1. Given the points listed above is it safe to consider that I was NOT affected by the hack?
2. Is emby connect affected as well?

 

SUGGESTIONS:

While I appreciate this post with the details you have provided I would do some stuff differently next time.

• Give the severity of this I would have sent an email warning your users (all of them). I was able to find out about this by pure luck by reading the news.
• The informations about actions to take to check if someone got hacked or actions to take to resolve the issue are NOT very clear (at least to me) and scattered among various thread in the forum. Would be nice to have detailed information on which exact file/DNS record to check (Name, hashes, version, etc.). Remember who reads the advisory has no background information/clue about what you are talking. I can see a lot of users here are not tech savy so a FAQ included in the advisory would come in handy. (Example: Windows user....check the following path, linux users...check this other path).
• Timeline: When do you first discovered about the issue? How did you discovered it?  If someone got hacked we want to check every log not only the last one. Having a timeline greatly reduces efforts needed by administrators to properly check their systems and take remedial action.

• Why the proxy variable vulnerability reported in 2020 was NOT fixed earlier?? Despite the misconfig some of us might have, this was key for a successful exploitation. I also discovered about this vulnerability just because of what happened. If you can't fix something for whatever reason just warn your user so we know and we as user/server owners can decide on the action to take.

 

Thanks for taking the time to read my post. Hopefully this is not interpreted as criticism rather as a suggestion by a concerned user for the future in hope something like this will never happen again.

Edited May 26, 2023 by Mikele

[ebr 14913]

2 minutes ago, Mikele said:

Given the points listed above is it safe to consider that I was NOT affected by the hack?

Correct, you were not affected.

2 minutes ago, Mikele said:

Is emby connect affected as well?

No.

3 minutes ago, Mikele said:

Give the severity of this I would have sent an email warning your users (all of them). I was able to find out about this by pure luck by reading the news.

Affected systems were notified through the methods we detailed.  You were not affected so you were not directly notified.

[ebr 14913]

4 minutes ago, Mikele said:

and scattered among various thread in the forum.

Hi.  Did the advisory not contain all the information needed?  What was missing?

Thanks for the feedback.

[ember1205 23]

6 minutes ago, ebr said:

Affected systems were notified through the methods we detailed.  You were not affected so you were not directly notified.

I also was not directly notified, but I -was- seemingly affected. I went to watch a show and couldn't connect to my server and found the article by pure luck (I have repeatedly had issues with auto-update because I run as user with the same overall permissions as "emby'" but not as a user named "emby" - every update requires me to modify the start script to fix this.

 

I am also of the camp that, once the servers had an update pushed to them that would keep them offline, an email should have been sent to everyone that's registered as a user somehow/somewhere. As a Lifetime Premium license holder, Emby has my contact information and I'm extremely disappointed that I was not viewed as being a user that should have received a direct email communication.

[unisoft 272]

So can we have the ability for no remote login page in an update soon i.e. only emby apps can connect, no remote Web page is presented via a browser. As an option of course for those that want it enabled.

Edited May 26, 2023 by unisoft

[Ikario 38]

Customers might have their systems turned off and not be affected YET but turn their system on to an out of date insecure version of Emby or have their systems broken but not tried to use Emby yet. I still can't believe a wide e-mail has not been sent.  Makes it feel like Emby (the company) is more worried about saving face than properly disclosing what is going on. 

EDIT: I was thinking I might send a merch message to the WAN Show today, I know Linus was thinking about trying Emby so maybe it gets picked up and that's an indirect way of letting more people know that they should check and make sure Emby is updated on their systems.

Edited May 26, 2023 by Ikario

[Dreakon13 132]

I didn't even realize all this was going on until 4.7.12 popped up on my dashboard, kinda surprised me since I wasn't expecting another update until 4.8 releases so I came on here and found quite the snafu.  Glad that it seems like I wouldn't have been a target in this one.  Always feels like you can do more to secure your setup and every so often with an intrusion like this you get that warm, fuzzy feeling that you're actually doing a decent job lol.

I know the Emby team isn't very large.  People think once you ask for money, you must have all the resources and manpower in the world with an expectation that get things handled perfectly... when in this case at least, it's more likely a few individuals working around the clock assessing a serious situation.  At the end of the day it sounds like the team did their best to resolve the issue and protect users systems quickly, and they've been upfront here on the forums with what they did and why.  I appreciate that.  Good job guys. 

Edited May 26, 2023 by Dreakon13

[ebr 14913]

1 hour ago, Ikario said:

Makes it feel like Emby (the company) is more worried about saving face than properly disclosing what is going on. 

Hi.  That is not our intent.  As you can see there is a huge red banner on this site plus we submitted a CVE report ourselves.  We went to considerable effort to identify and mitigate affected systems and that was our focus as opposed to a blast email to everyone but there is also an issue with that as we don't have the email address of most Emby server owners (because most run for free). 

So we were in a situation where, if we sent some sort of blanket email, we would be inundated trying to address all the people that are not actually affected which would take away from our ability to help those that actually were.

So we chose a much more targeted and direct approach to try and protect people as quickly and thoroughly as possible.

Thanks

[Ikario 38]

People do not usually enter the forum, most people doesn't even know it exists.

Full disclosure to everyone possible is always the best approach, because there are people affected that might not realize they are affected. Yes, I get that you don't have the email of everyone that ever downloaded Emby, but doing a reasonable attempt to inform registered customers is the lowest bar possible and you have not cleared it.

And yes, you will be innundated, thats on you because you had three years to patch this. You did not take down a botnet, you took down the part of the botnet that you had access to, but there's probably lots of compromised systems out there that have no idea what's going on. 

 

If you are trying to argue that informing less people of your security issues is better than more people, then I think your approach to security is severely out of date. 

[CharlieMurphy 73]

I think Emby has handled this gracefully. Thanks.

One thing I always found odd was that making a new user doesn't prompt you to password protect the new account. I'm always afraid I would forget to assign one because it's in a separate tab or whatever.

[ebr 14913]

4 minutes ago, Ikario said:

If you are trying to argue that informing less people of your security issues is better than more people

No what I'm saying is informing and directly protecting the right people was our top priority.  Anyone who was affected this way could no longer run their server and would have to go looking for help (and direct information was also placed in their logs).

4 minutes ago, Ikario said:

And yes, you will be innundated, thats on you

Perhaps but that wouldn't have allowed us to directly help the people directly affected nearly as well as the approach we took.  If we were buried under the weight of responding to the vast majority of Emby users that are not affected, we wouldn't have been able to provide as much help to those that really needed it.  This is just a reality of resources and we are doing our best to use what we have as effectively as we can.