Serious security concerns - Am I missing something?

[pflumph 3]

I recently started using Media Browser Connect, and found that I needed to NAT 8096 to the internet to make it work.  That's fine, but when I then hit the external port directly, I found that I was presented with a page to log in (Choose user).  When I clicked on the user tile, off I was into my server with full rights to everything.  I hadn't set passwords for my users since I have been LAN only since MB3 came out (derp).  Obviously, once exposed to the dirty internet, passwords should be set.  But from a security best practices perspective, there are some glaring issues in the default MB server setup.

 

Those are:

• No password is required when the first user is created upon setup.  Not a huge issue, until you NAT the server to the internet, and are not warned that you are granting wide open access to your entire server configuration and library to anyone on the internet capable of running a port scan. (Edit: After reading the port forwarding tutorial on the MB website, it does say in bold at the bottom, to "Use strong passwords".  This is nowhere NEAR enough for the average user.)
• Passwords aren't created by default when subsequent users are created.  You have to go back into the settings for that user, choose the password tab, and manually create one.  Again, uninformed users will never do this.
• The interface exposed on 8096 presents a list of valid users.  This removes the first hurdle to hacking the system - If I already know every valid username on the system, all I have to do is brute force the password!  For 90% of the world, a simple dictionary scan will be in in 5 minutes.

I'm bothered that a lay-user setting up MB server (and NATing it to the internet) isn't going to catch this, and expose their entire library (And network!) to everyone on the internet.  I think these concerns would be relatively easy to mitigate with a couple of (simple?) changes; Require passwords for all user accounts, and don't list valid users on the login page.  Implementing SSL wouldn't hurt either...

 

I would also personally like to see the ability to set up internet only users that have much harder security settings.  In other words, my soft home-friendly users and passwords (read: wife-approved) are only available on the LAN.  While hardened users are configured for accounts connecting through the internet.  Might this simply mean attaching specified users to a separate listener on the web server?  I'm a network guy, not a developer...

 

Am I missing some simple setting here?  Or is MB3 not ready to expose to the internet?  I shudder to think what I could get access to if I were to scan public IP space on 8096...

[Luke 37095]

Actually, the server only exposes users that you've enabled for public access, and this is enforced at the server level, not at the client level. If you click into a user -> advanced, you can hide them from login screens. If you enable this then the server will not transmit that information publicly and you'll have to login by manually entering your username and password. client applications also will not even know that those users exist.

 

Now as for the setup process, you're right in that it probably would be a good idea for us to encourage users to create passwords for administrative accounts, and give them the ability to set that password during the startup wizard. It is something I've been meaning to do.

 

But non administrative users can do very little and this is also enforced at the server level.

[pflumph 3]

Thanks Luke,

I see that I can make my administrative user(s) hidden from the login screen.  But all users created through the standard process are still visible from the default login page (and exposed to the internet) on 8096.  This is really the exact opposite of the behavior I would expect.  To "opt-in" would be better, but I would really like to see a separate port enabled for exposure to the internet.  Then we can allow only users explicitly granted access from the internet - presumably with hardened credentials.  Is that hard to do?  Again, I'm not a dev, (I'm a packet jockey) so maybe there's a simpler way to distinguish between internet and LAN users.  Simply NATing the internal IP address to the internet seems to preclude that ability.

 

I have to be honest, had it not been my habit to pen test myself, I wouldn't have seen this.  It surprised the crap out of me...

[dark_slayer 103]

Could you explain what risk your system / network would then incur if somebody bruteforced one of your MB3 logins?

[Luke 37095]

there's plenty of risk so we take it seriously. if an admin account is hijacked it could use the api to delete media on the server.

 

as far as the question of better or worse, I do think we can do a better job of making information available at the time of setting things up rather than after, and that I think that is the best route. With enough information each user can make their own decision.

 

And also we will be adding a lockout after X login attempts. It just hasn't' been done yet.

[pflumph 3]

Luke has it right - The standard configuration, when NAT'd to the internet, exposes all administrator access to the server.  And by default, there is no password.

 

I'm seriously considering standing up a second MB server, just for external use.

 

We tested this on a friends installation yesterday (We're both pretty "good" IT guys).  I asked him if he NAT'd MB - He said yes.  I asked him if he set passwords for his users - He said yes.  "For the external users".  Then we hit the web interface outside the firewall, and there were the hardened "external users" with password required - Nice!  AND all of the soft internal users, ready to exploit - Crap!  People will always have the easy "Click on the user tile" users for their internal stuff.  And when they do, it's all out there on the internet...

 

Try it!

http://YourInternetDNSNameHere:8096

Feels OK...

 

Now go hit:

http://YourInternetDNSNameHere:8096/mediabrowser/dashboard/index.html

Click on your admin (or any other user) and have fun.  Full admin access to the box, not even a password.

 

How many MB installations are there out there?  How many of those people are savvy enough to catch this and fix it?  I bet there's hundreds, and they don't even know it.

 

Look, I have like 3 posts and no cred in this community, but this is what I do for a living.  Any script kiddie could write a script, find 8096 open and poll for Media Browser.  Find one, and you can almost guarantee that it's wide open.  Once inside, they could script a dump of the library contents, hook the API to manipulate the real back end data, or worse...

 

I don't know how to express how urgent this issue is

[Beardyname 195]

Luke has it right - The standard configuration, when NAT'd to the internet, exposes all administrator access to the server.  And by default, there is no password.

 

I'm seriously considering standing up a second MB server, just for external use.

 

We tested this on a friends installation yesterday (We're both pretty "good" IT guys).  I asked him if he NAT'd MB - He said yes.  I asked him if he set passwords for his users - He said yes.  "For the external users".  Then we hit the web interface outside the firewall, and there were the hardened "external users" with password required - Nice!  AND all of the soft internal users, ready to exploit - Crap!  People will always have the easy "Click on the user tile" users for their internal stuff.  And when they do, it's all out there on the internet...

 

I don't know how to express how urgent this issue is

 

 

Actually no, for users connecting from outside i require them to have passwords. (make sure when you test this that you don't test if from the inside)

I'm not doing anything in the IT field I just believe that between the trade-off between convenience/security go for security. aka i read through all the settings to make sure it functions how i want it to and more importantly I know what it is doing and how.

 

But i agree that more work could be done in this area, mostly for the "casual" users

However, except for putting up signs that "Hey passwords are good" It's not really the MBS team's job to force security upon it's users. (MS won't try to tell you how to lock-down your machines)

 

 

I mean look at the shit people are posting to facebook etc that could severely be used to get into their systems or worse (have actually seen idiots post their new credit card with full cvv code and all)

Therefore i still believe it's up to the users to make sure they know what they are setting up, but stuff like "passwords are good" signs should be posted around these areas to start the thinking process amongst the users.

 

*edit*

I'm not trying to be rude or anything so i hope i don't come across as this, but as a script kiddie myself (again i don't work in it i just play alot of games on my pc). I believe it's my own fault if something bad happens that i could have prevented by not being lazy.

 

(now with the new pin function there is not excuse really for not using a password)

 

*edit2*

The dashboard event feature is great for testing to see where it actually is ppl are signing in from. (not as much as before when there was an option to remove passwords for local area access, but still useful to see that the pin function does not work from the outside.)

Edited February 10, 2015 by Beardyname

[pflumph 3]

No offense taken Beardyname 

 

Maybe I'm overreacting.  I just fear for those that aren't going to know to change the security settings (hiding users, setting passwords, etc.)

 

Maybe it's really a "feature request" - to have another listener to use for external access, that doesn't present so much data, and expose user names...

[Beardyname 195]

No offense taken Beardyname 

 

Maybe I'm overreacting.  I just fear for those that aren't going to know to change the security settings (hiding users, setting passwords, etc.)

 

Maybe it's really a "feature request" - to have another listener to use for external access, that doesn't present so much data, and expose user names...

 

good I know that i sometimes come of a s bit short, to reply your statement about over-reacting, probably and probably not

 

I mean even one user getting destroyed is one to many, I think the solution is a mix of what luke spoke about and (here is what you and i can help) to inform and educate other users and make sure they know what they are doing when opening up their systems to the world-wide-web. Like when we recommend MB to other ppl to make sure they lock down their system and if they need any help provide the best support we possibly can

[Luke 37095]

Yea i think the good news is that everything that is done by default can be disabled, so there isn't a situation where choice is taken away. The area of opportunity for improvement is to present the information and choices at earlier stages.

[dark_slayer 103]

Luke has it right - The standard configuration, when NAT'd to the internet, exposes all administrator access to the server.  And by default, there is no password.

 

Everyone can have varying opinions on what is a big risk and what isn't

 

The part a casual user will read above and believe is that you are exposing administrative access to your server with nothing other than a simple password hack. You are actually only exposing administrative access to mediabrowser running on your server (semantics as to what someone refers to as "server" I know, but let's be specific). Your attack vectors then all have to go through Mediabrowser (which I didn't think ran at elevated privileges anyway, only user . . . now I need to check)

 

In avsforum there is a post about once/month about the security of your network, security of letting people access your media through plex, etc. Most real attacks just want unfettered control over your broadband network connection, not your movie library. To me having my mediabrowser admin account hijacked would be a pita but not a real risk - i.e. It wouldn't harm anything outside of mediabrowser and while I'd be annoyed I could repair the damage done

 

That was a tradeoff I lived with for years running plex on my server and now mediabrowser, and honestly in terms of script kiddies and attack vectors there is a whole lot of "lower-hanging-fruit" out there than mediabrowser users

[Carlo 4330]

But if your admin account or any account that you granted delete privs to was logged into then they could delete lots of your content very easily and I'm sure if this happened they would get upset.  End of the world, NO but upset non-the-less.

 

To be honest I wouldn't mind a server setting that would require any admin or person who can modify data in any way to be forced to set a password for those accounts when creating them.  However, that will probably just get overly complex for most ops.  A server setting such as "Require Passwords For All Accounts" would be good enough.

 

If Require Passwords was enabled by default during setup and the first account (admin) was prompted to enter a password during install then things should technically be covered from the start.

 

Carlo

[mediacowboy 438]

I work in IT and after readying this I have to agree. I think passwords should need to be setup at the time of account creation. There is a feature Luke and the team implemented awhile back that make's this more wife/kid friendly and no need for two server's. If you go to the user's setting's and set a strong password you then have the option to set the user to not need a password when connecting to the local network. (See Photo) Which is what I do. So set a super strong password for any and all of your user's and then set it where they don't need it locally. Now for external access they will have to know the password or you can set the password on the devices and have it save it. I know first hand this is how I have my wife's iPad and iPhone setup. Please don't take this as me being rude just a thought.

 

[moviefan 184]

This would be my suggested remedy for this issue:
 

- Enable checkbox under each user account for "Allow External Access"

- When this option is checked, if no password has been configured for the user, display a very visible warning about the security risk and make the user click ok to accept this risk

 

This would avoid needing to setup a separate port to configure things differently (MB already knows when people are external) and would also allow for plumphs desire to be able to tighten security permissions as much as possible for the users that are configured to be accessible externally.

[Angelblue05 4130]

Like Luke said, I think better awareness when setting up the server should be enough. It's best to keep the "out of the box" experience simple and give the option to users to opt-in better security layers. We don't want to turn into Vista where every layer of security is enabled, like Are you sure? Are you really really sure? Just to make sure, are you sure? Haha  It was an annoyance and the first thing I disabled.

 

Instead, the user should be able to opt-in, specifying what impact it will have on external access, without having to first unselect a bunch of options that are not always necessary. If there's an explicit definition, I believe it will have a positive impact in the community and save a lot of users later headaches of "why can't I connect to my server?"

 

This is just my opinion, better awareness, but let the user opt-in better security layers. 

Edited February 11, 2015 by Angelblue05

[skl_mobile 3]

Luke has it right - The standard configuration, when NAT'd to the internet, exposes all administrator access to the server.  And by default, there is no password.

 

I'm seriously considering standing up a second MB server, just for external use.

 

We tested this on a friends installation yesterday (We're both pretty "good" IT guys).  I asked him if he NAT'd MB - He said yes.  I asked him if he set passwords for his users - He said yes.  "For the external users".  Then we hit the web interface outside the firewall, and there were the hardened "external users" with password required - Nice!  AND all of the soft internal users, ready to exploit - Crap!  People will always have the easy "Click on the user tile" users for their internal stuff.  And when they do, it's all out there on the internet...

 

Try it!

http://YourInternetDNSNameHere:8096

Feels OK...

 

Now go hit:

http://YourInternetDNSNameHere:8096/mediabrowser/dashboard/index.html

Click on your admin (or any other user) and have fun.  Full admin access to the box, not even a password.

 

How many MB installations are there out there?  How many of those people are savvy enough to catch this and fix it?  I bet there's hundreds, and they don't even know it.

 

Look, I have like 3 posts and no cred in this community, but this is what I do for a living.  Any script kiddie could write a script, find 8096 open and poll for Media Browser.  Find one, and you can almost guarantee that it's wide open.  Once inside, they could script a dump of the library contents, hook the API to manipulate the real back end data, or worse...

 

I don't know how to express how urgent this issue is

 

This is very very bad.

 

Luke,

how long till you guys can fix this?

[ebr 14923]

We are concerned about security and want to make improvements but realize it is completely within the individual user's power to lock it down with either passwords or not allowing access externally at all.

[Beardyname 195]

This is very very bad.

 

Luke,

how long till you guys can fix this?

 

fix what?

 

the thing he posted should resolve in a blank page unless you have logged in from this browser at that location in the past. (or random jibberish as it does for me, just a line of static html and no user content or user selection screen anywhere)

 

This thread is more of a discussion on what MB should do to inform users on what they are doing.

 

 

*edit* also what ebr said.

Edited February 11, 2015 by Beardyname

[Luke 37095]

Well for anyone reading, the important thing to make note of is that anything the server does by default can be changed. So all of these things are under your control in the server dashboard. This discussion is just about changing the setup process so that choices can be made before, not after.

[skl_mobile 3]

We are concerned about security and want to make improvements but, for anyone reading this and getting alarmed, keep in mind that we are talking about potential access to your media and not your bank account.

 

That doesn't make it un-important, but not quite as serious as some may infer from just skimming through the discussion here.

 

Also, it is completely within the individual users power to lock it down with either passwords or not allowing access externally at all.

 

It is completely on the person installing MB to lock it down themselves. But If this process is changed so that MB has the user Opt Out of the security, then the default installs will be more secure, and therefore MB would still be giving the choice to the user to be insecure, but they have to actually make that decision for themselves.

 

fix what?

 

the thing he posted should resolve in a blank page unless you have logged in from this browser at that location in the past. (or random jibberish as it does for me, just a line of static html and no user content or user selection screen anywhere)

 

This thread is more of a discussion on what MB should do to inform users on what they are doing.

 

 

*edit* also what ebr said.

Just because you can't reproduce it doesn't mean it's an issue that should be ignored.

[ebr 14923]

It is completely on the person installing MB to lock it down themselves. But If this process is changed so that MB has the user Opt Out of the security, then the default installs will be more secure, and therefore MB would still be giving the choice to the user to be insecure, but they have to actually make that decision for themselves.

 

Yes and that is what we are discussing doing here.  We need to weigh ease of use with security and, as it was in the Vista example, many times those things are at odds with each other.  As I said we can improve here.

[skl_mobile 3]

Yes and that is what we are discussing doing here.  We need to weigh ease of use with security and, as it was in the Vista example, many times those things are at odds with each other.  As I said we can improve here.

Please tell me MB isn't like Vista I plan to start installing this weekend!

[Deathsquirrel 741]

How about a popup during creation of the first user account.  It can say something like 'don't open the MB port in your firewall until you have setup secure user accounts you dummy!'

[techywarrior 688]

Please tell me MB isn't like Vista I plan to start installing this weekend!

Ebr was just referring to how MS tried to be more secure but there was a backlash with the amount of security prompts to elevate privileges. They had to scale that back a lot in the service pack and again in Win7. I am sure part of it was better use of just prompting once instead of each action the program was taking but there are also now a lot of instances where prompts are just not made anymore and that isn't as good as informing the user all the time.

 

He wasn't trying to say that MB is like Vista. Just a comparison in how security and ease of use can be at odds and most people prefer ease of use. (even if it isn't good for them)

[pflumph 3]

This is the conversation I wanted to trigger 

 

I hadn't found the "Don't require passwords for internal users" (Or at least hadn't connected what that does, with what I want).

 

Ideally, I think with mandatory passwords (And the ability to bypass them internally), 95% of my concerns are gone.  My urgency is simply because there have to be 100's of MBS on the internet, wide open.

 

I agree that security is the responsibility of the user.  But *most* users aren't going to do that unless prompted/forced to do so.  Granted, maybe "that's not our job", and we certainly don't want to "Vista" MBS!  But at a minimum, users should be aware that when they click this button, bad things can happen if they don't secure first.

 

For what it's worth, I installed Plex last night on a new VM.  External access is exactly what we have been now discussing here.  The only difference, it seems, is defaults.

 

I vote (Is this a democracy?) for requiring passwords, immediately followed by a box to opt-out for local users.  Problem solved.  Oh, and take the username tiles off the page when hit from external networks...